CVE-2025-0866 is a time-based SQL Injection vulnerability identified in the Legoeso PDF Manager plugin for WordPress, affecting all versions up to and including 1.2.2. The root cause is insufficient escaping and lack of proper query preparation on the 'checkedVals' parameter, which is user-supplied. Authenticated attackers with Author-level privileges or higher can exploit this flaw by injecting additional SQL commands into existing queries. This injection allows attackers to perform time-based blind SQL Injection attacks, enabling extraction of sensitive information from the backend database. The vulnerability does not require user interaction but does require authentication, which limits the attacker scope to users with some level of access. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, and high confidentiality impact, but no impact on integrity or availability. No patches or known exploits are currently available, increasing the urgency for users to monitor for updates or apply workarounds. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements in SQL commands.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or site configuration details. Since the attack requires authenticated access at the Author level or above, the risk is limited to scenarios where attackers have compromised or obtained legitimate user credentials. However, many WordPress sites grant Author or higher privileges to multiple users, increasing the attack surface. Exploitation could lead to data breaches, loss of user trust, and potential compliance violations. The vulnerability does not affect data integrity or availability, so it is less likely to cause site defacement or downtime. Nonetheless, the ability to extract sensitive data can facilitate further attacks or lateral movement within the network. Organizations relying on this plugin for document management should consider the risk to their data confidentiality and take immediate action to mitigate exposure.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Monitor and audit user activities for suspicious behavior, especially SQL query anomalies or unusual data access patterns. 3. If possible, disable or uninstall the Legoeso PDF Manager plugin until a security patch is released. 4. Implement Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the 'checkedVals' parameter. 5. Encourage the vendor to release a patched version with proper parameterized queries or prepared statements to eliminate SQL Injection risks. 6. Regularly update WordPress core and plugins to the latest versions once patches become available. 7. Use database permissions to limit the scope of queries that can be executed by the WordPress application user, reducing potential data exposure. 8. Educate site administrators and users about the risks of privilege escalation and credential compromise to prevent unauthorized access.