Skip to main content
CVE Vulnerability Database

CVE-2025-6718: B1.lt WordPress Plugin SQLi Vulnerability

CVE-2025-6718 is a SQL injection flaw in the B1.lt WordPress plugin that allows authenticated attackers with Subscriber-level access to execute arbitrary SQL commands. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6718 Overview

CVE-2025-6718 is a SQL Injection vulnerability in the B1.lt plugin for WordPress affecting all versions up to and including 2.2.57. The flaw stems from a missing capability check on the b1_run_query AJAX action. Authenticated users with Subscriber-level access or higher can execute arbitrary SQL commands against the WordPress database. The weakness is categorized under CWE-862: Missing Authorization.

Successful exploitation lets attackers read, modify, or delete database content, including user credentials and session tokens. Because the action is exposed to any authenticated subscriber, the attack surface includes any site that allows user registration.

Critical Impact

Authenticated attackers with Subscriber-level access can execute arbitrary SQL queries, leading to full database compromise and potential site takeover.

Affected Products

  • B1.lt WordPress plugin (b1-accounting) versions up to and including 2.2.57
  • WordPress sites that permit user registration at Subscriber level or higher
  • Any deployment of the B1.lt accounting plugin prior to the patched release

Discovery Timeline

  • 2025-07-18 - CVE-2025-6718 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-6718

Vulnerability Analysis

The B1.lt plugin registers the b1_run_query AJAX action without verifying the caller's WordPress capability. Any authenticated session, including Subscriber accounts, can invoke the handler and supply SQL statements that are passed to the database layer. The plugin does not enforce role-based authorization or parameterize the query string before execution.

This combination of missing authorization and direct query execution produces a classic SQL injection primitive with full read and write access. Attackers can enumerate WordPress tables, extract wp_users password hashes, modify user roles, or insert administrative accounts. With write access to the options table, attackers can also alter site configuration to escalate to remote code execution.

Root Cause

The root cause is the absence of a current_user_can() capability check on the b1_run_query AJAX endpoint. WordPress AJAX actions registered under wp_ajax_* are accessible to any authenticated user unless the handler explicitly enforces a capability. The B1.lt handler omits this control and forwards user-controlled input to the SQL execution path.

Attack Vector

An attacker registers or logs in with Subscriber-level credentials, obtains a valid nonce, and sends a POST request to /wp-admin/admin-ajax.php with action=b1_run_query and a crafted SQL payload. The plugin executes the query and returns results to the attacker. No user interaction beyond authentication is required, and the attack is performed entirely over the network.

See the Wordfence Vulnerability Intel entry and the upstream WordPress Plugin Changeset for the patched handler.

Detection Methods for CVE-2025-6718

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php containing action=b1_run_query originating from low-privilege user sessions
  • Unexpected new administrator accounts in wp_users or role changes in wp_usermeta
  • Outbound database dumps or large response payloads from admin-ajax.php to Subscriber-level sessions
  • Modifications to wp_options entries such as siteurl, home, or active_plugins without administrator activity

Detection Strategies

  • Inspect web server access logs for admin-ajax.php requests with the b1_run_query action parameter
  • Alert on SQL keywords (UNION, SELECT, INSERT, UPDATE, DROP) appearing in POST bodies to the AJAX endpoint
  • Correlate Subscriber-level authentication events with administrative database changes within short time windows
  • Deploy a Web Application Firewall (WAF) rule that blocks b1_run_query requests from non-administrative sessions

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized SIEM for query-pattern analysis
  • Track new user registrations and role escalations on sites that permit open registration
  • Baseline normal admin-ajax.php action distribution and alert on the appearance of b1_run_query from non-admin users
  • Monitor file integrity for wp-content/plugins/b1-accounting/ to detect tampering or rollback to vulnerable versions

How to Mitigate CVE-2025-6718

Immediate Actions Required

  • Update the B1.lt plugin to the version released after 2.2.57 that includes the capability check fix
  • Audit wp_users and wp_usermeta for unauthorized administrator accounts created since plugin installation
  • Force a password reset for all administrator accounts and rotate any secrets stored in wp_options
  • Restrict or disable open user registration on sites that do not require it

Patch Information

The vendor addressed the issue in a release published after version 2.2.57. Review the upstream WordPress Plugin Changeset 3338792 and the B1.lt plugin page for the corrected handler that enforces an administrator capability check on the b1_run_query AJAX action.

Workarounds

  • Deactivate and remove the B1.lt plugin until the patched version is deployed
  • Add a WAF rule that blocks POST requests to admin-ajax.php containing action=b1_run_query unless the user holds the manage_options capability
  • Restrict access to /wp-admin/admin-ajax.php by IP allowlist where operationally feasible
  • Set the default WordPress registration role to a custom role with no AJAX access while triage is in progress
bash
# Example ModSecurity rule to block exploitation attempts
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1006718,\
    msg:'CVE-2025-6718 B1.lt b1_run_query SQLi attempt'"
    SecRule ARGS:action "@streq b1_run_query" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.