CVE-2025-7670: JS Archive List Plugin SQLi Vulnerability

CVE-2025-7670 Overview

The JS Archive List plugin for WordPress contains a time-based SQL Injection vulnerability in the build_sql_where() function affecting all versions up to and including 6.1.5. The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This security flaw enables unauthenticated attackers to append malicious SQL queries to legitimate database operations, potentially extracting sensitive information from the WordPress database.

Critical Impact

Unauthenticated attackers can exploit this SQL Injection vulnerability to extract sensitive data from WordPress databases, including user credentials, email addresses, and other confidential information stored in the database.

Affected Products

• JS Archive List (jQuery Archive List Widget) plugin for WordPress versions up to and including 6.1.5
• WordPress installations using the vulnerable plugin versions
• Websites with publicly accessible archive list widgets

Discovery Timeline

• 2025-08-19 - CVE-2025-7670 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7670

Vulnerability Analysis

This vulnerability is classified as CWE-89 (SQL Injection) and affects the build_sql_where() function within the class-jq-archive-list-datasource.php file. The root cause is a failure to properly sanitize and escape user-controlled input before incorporating it into SQL queries executed against the WordPress database.

Time-based SQL Injection attacks work by injecting SQL statements that cause conditional time delays in database responses. Attackers can infer information about the database structure and contents by measuring response times—if a query returns slowly, it confirms a condition is true; if it returns quickly, the condition is false. This technique allows data exfiltration without any visible error messages or direct output.

The vulnerability is particularly dangerous because it requires no authentication, meaning any external attacker can target vulnerable WordPress installations. The network-accessible attack vector combined with no required user interaction makes this vulnerability highly exploitable in real-world scenarios.

Root Cause

The vulnerability exists due to insufficient input validation and escaping in the build_sql_where() function. The plugin fails to use WordPress's built-in $wpdb->prepare() method or equivalent parameterized queries when constructing SQL statements. This allows user-supplied data to be interpreted as SQL commands rather than literal string values.

Attack Vector

The attack is conducted over the network against the WordPress installation's front-end. Attackers craft malicious requests containing SQL injection payloads that target the archive list widget functionality. Since the build_sql_where() function processes these inputs without proper sanitization, the injected SQL code executes within the context of the database query.

The time-based nature of this injection means attackers use SQL SLEEP() or BENCHMARK() functions combined with conditional logic to extract data bit-by-bit. For example, an attacker could determine whether the first character of an admin password hash matches a specific value based on whether the database response is delayed.

// Security patch in classes/class-jq-archive-list-widget.php
// Source: https://github.com/Skatox/jquery-archive-list/commit/1c4a5749b187cc65d2c4b192b9c9890a36bf1fd2

 		return $html;
 	}
 
-	private function year_should_be_expanded( $year, $cur_post_year, $cur_post_month ): bool {
+	public function year_should_be_expanded( $year, $cur_post_year, $cur_post_month ): bool {
 		if ( $this->config['expand'] === 'all' ) {
 			return true;
 		}

The patch includes code efficiency improvements and version updates to 6.1.6 that address the SQL injection vulnerability. For complete technical details on the fix, see the GitHub Commit Update and WordPress Changeset Update.

Detection Methods for CVE-2025-7670

Indicators of Compromise

• Abnormally slow database query response times, particularly when processing archive list requests
• Web server logs containing SQL injection payloads such as SLEEP(), BENCHMARK(), or conditional statements like AND 1=1
• Unusual patterns of requests targeting archive list widget endpoints with varying parameter values
• Database logs showing queries with unexpected time delays or syntax errors

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in request parameters
• Monitor WordPress error logs for SQL syntax errors or unexpected database exceptions
• Deploy intrusion detection systems configured to alert on time-based SQL injection signatures
• Review access logs for sequential requests with incrementing character values typical of automated SQL injection tools

Monitoring Recommendations

• Enable detailed database query logging to identify suspicious SQL patterns
• Configure alerting for requests with abnormally long response times from the affected plugin endpoints
• Implement rate limiting on archive list widget requests to slow automated extraction attempts
• Monitor for new file uploads or database modifications that could indicate successful data exfiltration

How to Mitigate CVE-2025-7670

Immediate Actions Required

• Update the JS Archive List plugin to version 6.1.6 or later immediately
• Audit database logs for any evidence of exploitation prior to patching
• Consider temporarily disabling the plugin if an update cannot be applied immediately
• Review and rotate database credentials if exploitation is suspected

Patch Information

The vulnerability has been addressed in version 6.1.6 of the JS Archive List plugin. The fix implements proper input sanitization and prepared statements for SQL queries. Administrators should update through the WordPress plugin dashboard or download the patched version from the WordPress Plugin Developer Info page.

For additional context on this vulnerability, refer to the Wordfence Vulnerability Report.

Workarounds

• Temporarily deactivate the JS Archive List plugin until the update can be applied
• Implement WAF rules to filter SQL injection payloads targeting archive list parameters
• Restrict access to WordPress admin and plugin endpoints using IP allowlisting
• Deploy a virtual patching solution through security plugins like Wordfence or Sucuri

# Disable the vulnerable plugin via WP-CLI
wp plugin deactivate jquery-archive-list-widget

# Update the plugin to the latest patched version
wp plugin update jquery-archive-list-widget

# Verify the installed version
wp plugin list --name=jquery-archive-list-widget --format=csv