CVE-2025-2106

Name of the Vulnerable Software and Affected Versions: ArielBrailovsky-ViralAd plugin for WordPress versions up to, and including, 1.0.8

Description: The issue allows unauthenticated attackers to perform SQL Injection via the text and id parameters of the limpia() function due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. The exploitability of this issue seems to be limited to very old versions of WordPress.

Recommendations: For versions up to, and including, 1.0.8, consider updating to a version that includes a fix for this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider disabling the limpia() function until a patch is available. Restrict access to the text and id parameters in the affected function to minimize the risk of exploitation.