{"id":86293,"date":"2026-01-15T15:47:08","date_gmt":"2026-01-15T15:47:08","guid":{"rendered":""},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-30T06:00:00","slug":"cve-2025-0853-sql-injection-vulnerability-in-pgs-core-plugin-for-wordpress","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-0853-sql-injection-vulnerability-in-pgs-core-plugin-for-wordpress\/","title":{"rendered":"<strong>CVE-2025-0853: SQL Injection Vulnerability in PGS Core Plugin for WordPress<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-0853 refers to a serious security vulnerability found in the PGS Core Plugin for WordPress. This vulnerability might allow unauthenticated attackers to execute SQL injections via the &#8216;event&#8217; parameter in the &#8216;save_header_builder&#8217; function. Due to the high severity of this issue, it presents a significant risk to WordPress websites using the PGS Core Plugin, as it could lead to system compromise or sensitive data exposure.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-0853<br \/>\nSeverity: High (CVSS: 7.5)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: System compromise and potential sensitive data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-2382257814\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>PGS Core Plugin for WordPress | Up to and including 5.8.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The vulnerability is due to an input validation flaw in the &#8216;save_header_builder&#8217; function of the PGS Core Plugin for WordPress. By supplying a malicious &#8216;event&#8217; parameter in a request, an unauthenticated attacker could inject SQL commands into the back-end database. As the plugin does not properly sanitize this user-supplied input, the attacker&#8217;s SQL commands could be executed in the context of the application, leading to unauthorized data access, modification, or system compromise.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-4280640167\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of how this vulnerability might be exploited:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-admin\/admin-ajax.php?action=save_header_builder HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/x-www-form-urlencoded\nevent=1; DROP TABLE users;--<\/code><\/pre>\n<p>In this example, the attacker sends a POST request to the vulnerable endpoint with an &#8216;event&#8217; parameter, containing a malicious SQL command that deletes the &#8216;users&#8217; table from the database.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>Users of the affected PGS Core Plugin for WordPress are advised to apply the vendor patch as soon as it becomes available. As a temporary mitigation measure, users may also consider using Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) to detect and prevent exploitation attempts. Regularly updating all software components and conducting security audits can also help in identifying and preventing potential vulnerabilities in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-0853 refers to a serious security vulnerability found in the PGS Core Plugin for WordPress. This vulnerability might allow unauthenticated attackers to execute SQL injections via the &#8216;event&#8217; parameter in the &#8216;save_header_builder&#8217; function. Due to the high severity of this issue, it presents a significant risk to WordPress websites using the PGS Core [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-86293","post","type-post","status-publish","format-standard","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/86293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=86293"}],"version-history":[{"count":0,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/86293\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=86293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=86293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=86293"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=86293"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=86293"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=86293"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=86293"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=86293"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=86293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}