Add CVE-2025-2221 - WordPress WPCOM Member SQL Injection

[neosmith1]

Template Details

• CVE: CVE-2025-2221
• Product: WPCOM Member WordPress Plugin
• Vulnerability: Unauthenticated SQL Injection
• Severity: High (7.5 CVSS)
• Detection: Time-based blind SQL injection via user_phone parameter

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-2221
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpcom-member/wpcom-member-176-unauthenticated-sql-injection

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

No security issues found

Hardening Notes

• The template now properly extracts the nonce from wpcom_login_modal action before attempting SQL injection
• Timeout directive (@timeout: 25s) appropriately accommodates the 6-second SLEEP payload with network latency buffer
• Metadata improvements include proper vendor name (Bastien Ho), fofa-query, and unauthenticated tag

_{Comment @pdneo help for available commands. · Open in Neo}

[Akokonunes]

Hi @neosmith1

Thank you for contributing this template to the community! This appears to be AI-generated based on the template structure and testing claims. We tried to reproduce the PoC on a vulnerable target but were unable to confirm the behavior. If you believe the template is correct, please send details or a vulnerable lab environment to templates@projectdiscovery.io.