CVE-2025-14124
published 2026-01-05CVE-2025-14124: The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to…
PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.56%
72.1th percentile
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Detection & IOCsextracted from sources · hover to see the quote
yara
rule TLP_Team_WordPress_Plugin_SQLi {
meta:
description = "Detects Team WordPress Plugin (TLP Team) version vulnerable to CVE-2025-14124"
strings:
$s1 = "TLP Team"
condition:
$s1 and status_code == 200
}- →SQL injection is reachable via an AJAX action by unauthenticated users — monitor WordPress AJAX endpoints (wp-admin/admin-ajax.php) for anomalous SQL metacharacters or payloads in requests targeting the Team plugin. ↗
- →Fingerprint vulnerable installations by checking for the Team WordPress plugin version string below 5.0.11 in HTTP responses (e.g., plugin readme.txt or response headers).
- ·The AJAX action name and specific vulnerable parameter are not disclosed in the available sources; defenders should monitor all unauthenticated AJAX requests to the Team plugin until the exact action is confirmed. ↗
- ·The fingerprint rule version field value '6' appears to be a nuclei/detection-rule severity or protocol field rather than a plugin version number — validate rule logic before deployment.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
nuclei·CVSS 8.6
CVE-2025-14124 [HIGH] Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
Team WordPress Plugin (TLP Team) = 6
- status_code == 200
condition: and
# digest: 4b0a00483046022100db384ccd128052c0b54f57feff57ab2266d69fe3c6f4ca5aab84c6b4f8fc12b4022100d62cb377baacbd596a5fd5e431656ba33f7ebfef62063d90482b28ae03c6a3be:922c64590222798bb761d5b6d8e72950
2026-01-05
Published