CVE-2025-10036 identifies a SQL Injection vulnerability in the Featured Image from URL (FIFU) WordPress plugin, specifically in the get_all_urls() function. The vulnerability stems from insufficient escaping of user-supplied parameters and lack of proper SQL query preparation, allowing attackers with Administrator-level access to append malicious SQL commands to existing queries. This improper neutralization of special elements (CWE-89) enables extraction of sensitive information from the underlying database. The vulnerability affects all versions up to and including 5.2.7. The CVSS 3.1 base score is 4.9, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to confidentiality. No known exploits are currently in the wild, and no official patches have been published yet. The vulnerability is significant because it leverages the high privileges of administrators, who typically have broad access to site content and configuration, making exploitation feasible if credentials are compromised or insider threats exist. The flaw highlights the importance of secure coding practices such as parameterized queries and proper input sanitization in WordPress plugin development.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information stored in the WordPress database, including user data, configuration details, and possibly credentials or tokens. Since exploitation requires Administrator-level access, the threat is mainly from insider threats or attackers who have already compromised administrative credentials. Successful exploitation can lead to data breaches, loss of confidentiality, and erosion of trust in affected websites. While the vulnerability does not directly affect data integrity or availability, the exposure of sensitive data can facilitate further attacks, such as privilege escalation or lateral movement within an organization’s infrastructure. Organizations relying on the Fifu plugin for critical websites or e-commerce platforms face reputational damage and compliance risks if sensitive customer or business data is leaked. The medium severity score reflects the balance between the high privilege requirement and the significant confidentiality impact.

To mitigate this vulnerability, organizations should immediately audit and restrict Administrator-level access to trusted personnel only, minimizing the risk of insider exploitation. Implement strict credential management policies, including multi-factor authentication and regular password rotation for admin accounts. Monitor database query logs for unusual or unexpected SQL commands that could indicate attempted injection. Until an official patch is released, consider temporarily disabling or removing the Featured Image from URL (FIFU) plugin if feasible, especially on high-value or sensitive sites. Developers and site administrators should review the plugin’s source code to identify and patch the vulnerable get_all_urls() function by implementing parameterized queries or prepared statements and proper input sanitization. Regularly update WordPress core and plugins to the latest versions once security patches become available. Employ web application firewalls (WAFs) with SQL injection detection capabilities to provide an additional layer of defense. Finally, conduct security awareness training for administrators to recognize and prevent credential compromise.