CVE-2025-10003 identifies a time-based SQL Injection vulnerability in the UsersWP plugin for WordPress, specifically in the 'upload_file_remove' function via the 'htmlvar' parameter. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), where user-supplied input is insufficiently escaped and the SQL queries lack proper preparation or parameterization. As a result, an unauthenticated attacker can inject malicious SQL code that appends additional queries to the existing ones, enabling extraction of sensitive data from the backend database. The vulnerability affects all versions up to and including 1.2.44. The CVSS 3.1 base score is 6.5, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently in the wild, and no official patches have been published yet. The vulnerability is significant because it allows data exfiltration without authentication or user interaction, leveraging a common web application weakness in WordPress plugins that handle user input improperly. This can compromise user privacy and potentially expose credentials or other sensitive information stored in the database.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored in the WordPress database, including potentially user credentials, personal data, and site configuration details. This breach of confidentiality can lead to further attacks such as account takeover, privilege escalation, or targeted phishing campaigns. Since the vulnerability does not affect integrity or availability directly, the immediate risk is data leakage rather than service disruption. However, attackers could leverage the extracted information to perform more damaging attacks. Organizations running WordPress sites with the affected plugin are at risk, especially those handling sensitive user data such as membership sites, e-commerce platforms, or community portals. The ease of exploitation over the network without user interaction increases the threat level. The lack of authentication requirement means any remote attacker can attempt exploitation, broadening the attack surface. The absence of known exploits in the wild currently limits immediate risk, but the medium severity score and common use of the plugin suggest a potential for future exploitation.

Until an official patch is released, organizations should consider the following mitigations: 1) Disable or remove the UsersWP plugin if it is not essential to reduce exposure. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'upload_file_remove' function and 'htmlvar' parameter. 3) Apply manual input validation and sanitization on the 'htmlvar' parameter if custom development is feasible, ensuring all user inputs are properly escaped or parameterized in SQL queries. 4) Monitor web server and database logs for unusual query patterns or time delays indicative of time-based SQL injection attempts. 5) Restrict database user permissions to the minimum necessary to limit data exposure in case of exploitation. 6) Plan to update the plugin promptly once a security patch is available from the vendor. 7) Educate site administrators about the risks and signs of exploitation to enable rapid response. These steps go beyond generic advice by focusing on immediate risk reduction and detection tailored to this specific vulnerability's characteristics.