CVE-2025-10036 is a medium-severity SQL Injection vulnerability affecting the Featured Image from URL (FIFU) WordPress plugin developed by marceljm. The vulnerability exists in the get_all_urls() function in all versions up to and including 5.2.7. The root cause is improper neutralization of special elements used in SQL commands (CWE-89), specifically insufficient escaping of user-supplied parameters and lack of prepared statements in the SQL query construction. This flaw allows authenticated attackers with Administrator-level privileges or higher to append malicious SQL queries to existing ones. Exploiting this vulnerability could enable attackers to extract sensitive information from the WordPress database, such as user credentials, site configuration, or other confidential data. The CVSS v3.1 base score is 4.9, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, no user interaction, and a confidentiality impact but no integrity or availability impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on September 26, 2025, and was reserved earlier that month. The issue is significant because WordPress powers a large portion of websites globally, and plugins like FIFU are widely used to manage featured images via URLs, making this a relevant threat to many sites that rely on this plugin for content management.

For European organizations, this vulnerability poses a risk primarily to websites and web applications running WordPress with the FIFU plugin installed. Since exploitation requires administrator-level access, the threat is more relevant in scenarios where internal users or compromised credentials could be leveraged by attackers. Successful exploitation could lead to unauthorized disclosure of sensitive data stored in the WordPress database, including personal data protected under GDPR, potentially resulting in data breaches, regulatory penalties, and reputational damage. The lack of impact on integrity and availability limits the threat to confidentiality breaches only, but the exposure of sensitive information could still be significant. Organizations using this plugin in sectors such as e-commerce, government, healthcare, and finance in Europe could face increased risk due to the sensitivity of the data handled. Additionally, the medium severity score suggests that while the vulnerability is exploitable, it requires elevated privileges, somewhat limiting the attack surface but not eliminating risk, especially in environments with weak internal controls or compromised administrator accounts.

European organizations should immediately audit their WordPress installations to identify the presence of the Featured Image from URL (FIFU) plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the get_all_urls() function or related plugin endpoints. 3) Conduct regular security reviews and code audits of installed plugins, especially those handling user input and database queries. 4) Monitor logs for unusual database query patterns or access anomalies that could indicate exploitation attempts. 5) If feasible, temporarily disable or remove the FIFU plugin until a security update is available. 6) Educate site administrators about the risks of SQL injection and the importance of applying principle of least privilege. 7) Keep WordPress core and all plugins updated to the latest versions to minimize exposure to known vulnerabilities.