cbcvebase.
CVE-2025-14124
published 2026-01-05

CVE-2025-14124: The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to…

PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.56%
72.1th percentile
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Detection & IOCsextracted from sources · hover to see the quote

versionTeam WordPress plugin < 5.0.11
yara
rule TLP_Team_WordPress_Plugin_SQLi {
  meta:
    description = "Detects Team WordPress Plugin (TLP Team) version vulnerable to CVE-2025-14124"
  strings:
    $s1 = "TLP Team"
  condition:
    $s1 and status_code == 200
}
  • SQL injection is reachable via an AJAX action by unauthenticated users — monitor WordPress AJAX endpoints (wp-admin/admin-ajax.php) for anomalous SQL metacharacters or payloads in requests targeting the Team plugin.
  • Fingerprint vulnerable installations by checking for the Team WordPress plugin version string below 5.0.11 in HTTP responses (e.g., plugin readme.txt or response headers).
  • ·The AJAX action name and specific vulnerable parameter are not disclosed in the available sources; defenders should monitor all unauthenticated AJAX requests to the Team plugin until the exact action is confirmed.
  • ·The fingerprint rule version field value '6' appears to be a nuclei/detection-rule severity or protocol field rather than a plugin version number — validate rule logic before deployment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.