CVE-2025-10042 is a medium-severity SQL Injection vulnerability affecting the Quiz Maker plugin for WordPress, developed by ays-pro. The vulnerability exists in all versions up to and including 6.7.0.56. It arises due to improper neutralization of special elements in SQL commands (CWE-89), specifically through spoofed IP headers. The plugin uses user-supplied IP address information, such as the 'X-Forwarded-For' HTTP header, to enforce IP-based user restrictions. However, the plugin fails to properly escape or prepare SQL queries that incorporate this IP data, allowing an unauthenticated attacker to inject arbitrary SQL code. This can lead to unauthorized extraction of sensitive information from the backend database. Exploitation requires the server to be configured to retrieve the IP address from user-supplied headers and have IP-based user limiting enabled. The vulnerability does not require authentication or user interaction but has a higher attack complexity due to the specific configuration prerequisites. The CVSS 3.1 base score is 5.9 (medium), reflecting the network attack vector, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights the risks of trusting client-supplied headers without proper sanitization and the importance of secure coding practices in WordPress plugins handling user input in SQL queries.

For European organizations using WordPress sites with the Quiz Maker plugin, this vulnerability poses a risk of unauthorized data disclosure. Attackers could exploit the flaw to extract sensitive database information, potentially including user data, quiz results, or other confidential content stored in the database. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. Since the vulnerability requires specific server configurations (using 'X-Forwarded-For' for IP retrieval and enabling IP-based user restrictions), organizations employing reverse proxies or load balancers that set such headers are more at risk. The impact is primarily on confidentiality, with no direct effect on data integrity or availability. However, the exposure of sensitive information can facilitate further attacks or social engineering campaigns. European organizations with public-facing WordPress sites, especially in sectors like education, e-learning, or training that use Quiz Maker, should be particularly vigilant. The medium severity score suggests that while exploitation is not trivial, the potential data leakage consequences warrant prompt attention.

1. Immediately review server configurations to determine if IP addresses are retrieved from user-supplied headers such as 'X-Forwarded-For'. If possible, disable reliance on these headers or validate them strictly to prevent spoofing. 2. Disable IP-based user limiting in the Quiz Maker plugin until a patch is available or the vulnerability is mitigated. 3. Apply principle of least privilege to the database user accounts used by WordPress, limiting their ability to perform unnecessary queries or access sensitive tables. 4. Monitor web server and application logs for unusual or suspicious requests containing malformed or unexpected IP headers. 5. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the plugin, focusing on requests with suspicious IP header values. 6. Keep the Quiz Maker plugin updated and apply any security patches released by the vendor promptly once available. 7. Conduct code audits or penetration tests on WordPress plugins that handle user input in SQL queries to identify similar injection risks. 8. Educate administrators about the risks of trusting client-supplied headers and encourage secure configuration of reverse proxies and load balancers.