CVE Alert: CVE-2025-9073 – maheshmthorat – All in one Minifier
CVE-2025-9073
The All in one Minifier plugin for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Summary Analysis
Risk verdict
High risk: unauthenticated SQL injection enables remote data exposure; escalate to priority 1 if KEV indicates exploitation or EPSS ≥ 0.5.
Why this matters
The vulnerability allows an attacker to append arbitrary SQL via the post_id parameter, potentially dumping sensitive database contents without any user credentials. Public-facing WordPress sites using the plugin are especially exposed, risking customer data leakage and compliance impacts.
Most likely attack path
Remote attacker sends a crafted request to the vulnerable endpoint (likely admin-ajax.php) with a manipulated post_id; no authentication or user interaction required, making exploitation highly feasible against any site with the plugin installed. Precondition is simply plugin presence; no privileges or UI interaction needed, enabling straightforward lateral access within the database context.
Who is most exposed
Sites running WordPress with All in one Minifier <= 3.2, particularly on shared or public hosting with the plugin enabled and admin-ajax accessible, are the primary exposure.
Detection ideas
- Logs show unusual or verbose SQL fragments in responses or error messages around admin-ajax.php.
- Repeated requests with suspicious post_id values or patterns indicative of SQL injection attempts.
- DB or application logs show abnormal long-running queries or data-access anomalies.
- WAF/IPS alerts triggered by SQLi-like payloads targeting the plugin.
- Increased data exfiltration indicators (unexpected query results) from the affected endpoint.
Mitigation and prioritisation
- Upgrade to a patched release or remove the plugin until fixed.
- If immediate patching isn’t possible, temporarily disable the vulnerable endpoint (e.g., limit admin-ajax access) or uninstall the plugin.
- Apply WAF/IPS rules to block SQL injection patterns targeting the post_id parameter.
- Verify backups and perform post-change testing in a staging environment.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1; otherwise classify as High with urgent patching.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
