WordPress Security Bulletin: Bucketlister Plugin Vulnerability (CVE-2025-15477)

On this page

Security Alert Summary

The Bucketlister plugin for WordPress contains a SQL injection vulnerability in its shortcode attributes that can be abused by authenticated users with Contributor-level access and above to extract sensitive information from the site database. Site owners should review affected versions and follow recommended mitigations.


CVE Details

  • CVE ID: CVE-2025-15477
  • Affected component: The Bucketlister plugin for WordPress
  • Affected versions: All versions up to and including 0.1.5
  • Published: February 7, 2026 at 9:15:59 AM
  • Last modified: February 7, 2026 at 9:15:59 AM
  • CVSS v3.1: Base Score 6.5 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Authentication / Privileges / User interaction: Requires an authenticated user with low privileges (Contributor-level and above as noted in the description). No user interaction required (UI:N).
  • Primary impact: Confidentiality: High; Integrity: None; Availability: None
  • Weakness (CWE): CWE-89 (SQL Injection)

Technical Details

The vulnerability is a SQL injection in the Bucketlister plugin stemming from insufficient escaping and lack of proper preparation of an existing SQL query. Specifically, the plugin’s shortcode attributes category and id accept user-supplied input that is incorporated into a database query without adequate sanitization or parameterization. As a result, an authenticated attacker with Contributor-level access or higher can append additional SQL queries into the existing query string to retrieve sensitive data from the database.

The CVE description identifies the shortcode attributes (category and id) as the vectors; no additional functions, REST endpoints, or fixed versions are specified in the CVE entry. The issue exists because user input is not properly escaped or prepared before being used in SQL statements.


How This Could Impact Your Website

Consider a small team running a WordPress site: the site owner, an internal content editor, and an external contractor who contributes posts. If the contractor or an editor has Contributor-level access and uses a page or post containing the vulnerable shortcode with manipulated category or id attributes, an attacker could craft input that causes database queries to return sensitive data.

Practical consequences based on the CVSS confidentiality impact include exposure of sensitive information such as user email addresses, profile details, or other database-held records. Exposed emails and account details can increase the risk of targeted phishing or social engineering against staff or users. The vulnerability description does not indicate modification or deletion of data (integrity and availability impacts are listed as none), so the primary concern is unauthorized data disclosure.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a patched version.)
  • Review and reduce unnecessary user roles; limit Contributor-level access where possible.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and database access logs for unusual behavior or unexpected queries.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References