CVE-2025-10002 is an SQL Injection vulnerability identified in the ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages WordPress plugin, affecting all versions up to and including 2.5.0. The vulnerability exists in the export_csv() function where user-supplied parameters are insufficiently escaped and the SQL queries are not properly prepared, allowing attackers to append arbitrary SQL commands. This improper neutralization of special elements (CWE-89) enables authenticated users with Administrator privileges or higher to execute additional SQL queries, potentially extracting sensitive data from the backend database. Although exploitation requires authentication, the risk increases if lower privilege users are granted access to the plugin interface. The vulnerability does not require user interaction beyond authentication and does not impact data integrity or availability, focusing primarily on confidentiality breaches. No public exploits have been reported yet, but the vulnerability is publicly disclosed and assigned a CVSS v3.1 base score of 4.9, indicating medium severity. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, which may include user data, affiliate tracking details, and other confidential information managed by the plugin. Organizations using this plugin risk data leakage if attackers with sufficient privileges exploit the flaw. Since the vulnerability requires authenticated access, the threat is somewhat limited to insiders or compromised accounts with elevated privileges. However, if lower privilege users have access to the plugin, the attack surface broadens. The confidentiality breach could lead to further attacks such as credential theft, targeted phishing, or business intelligence gathering by adversaries. There is no direct impact on data integrity or availability, so the threat does not include data manipulation or denial of service. Overall, the vulnerability undermines trust in the affected WordPress sites and could have reputational and compliance consequences for organizations handling sensitive affiliate or user data.

1. Immediately restrict access to the ClickWhale plugin interface to only trusted Administrator-level users and review user roles to ensure least privilege principles are enforced. 2. Monitor user accounts for suspicious activity, especially those with access to the plugin. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL Injection patterns targeting the export_csv() function. 4. Until an official patch is released, consider disabling the export_csv() functionality or the entire plugin if feasible to eliminate the attack vector. 5. Apply strict input validation and sanitization on all user-supplied parameters related to the plugin, possibly via custom code or security plugins that enforce parameter filtering. 6. Regularly back up the WordPress database and monitor logs for unusual SQL query patterns. 7. Stay updated with vendor advisories and apply patches promptly once available. 8. Educate administrators about the risks of privilege escalation and the importance of strong authentication mechanisms to prevent account compromise.