CVE-2025-10042 is a SQL Injection vulnerability identified in the ays-pro Quiz Maker plugin for WordPress, affecting all versions up to and including 6.7.0.56. The root cause is insufficient escaping and lack of prepared statements when processing user-supplied IP address parameters, particularly those derived from HTTP headers such as X-Forwarded-For. When the server configuration relies on these headers to determine client IP addresses and enforces IP-based access restrictions, attackers can craft spoofed headers containing malicious SQL code. This code is appended to existing SQL queries executed by the plugin, allowing unauthorized extraction of sensitive information from the backend database. The vulnerability does not require authentication or user interaction but has a high attack complexity because it depends on specific server configurations. The CVSS 3.1 score of 5.9 reflects a network attack vector with no privileges required, high complexity, and impact limited to confidentiality without affecting integrity or availability. No public exploits have been reported yet, but the vulnerability poses a risk to sites using the affected plugin versions with IP-based restrictions enabled and relying on user-supplied IP headers.

The primary impact of CVE-2025-10042 is unauthorized disclosure of sensitive data from the backend database of WordPress sites using the ays-pro Quiz Maker plugin under vulnerable configurations. Attackers can leverage this SQL Injection flaw to extract confidential information such as user data, quiz results, or other stored content, potentially leading to privacy violations and data breaches. Although the vulnerability does not allow modification or deletion of data, the exposure of sensitive information can facilitate further attacks, including phishing or credential theft. Organizations relying on IP-based access controls that use user-supplied headers are particularly at risk, as this configuration enables exploitation. The medium severity rating indicates a moderate risk, but the widespread use of WordPress and this plugin in educational, corporate, and public sectors means that a significant number of sites could be affected, especially if they have not hardened their server configurations. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

To mitigate CVE-2025-10042, organizations should immediately review their WordPress installations using the ays-pro Quiz Maker plugin and upgrade to a patched version once available. In the absence of an official patch, administrators should disable IP-based user restrictions that rely on user-supplied headers such as X-Forwarded-For, or configure their web servers and proxies to sanitize or ignore these headers to prevent spoofing. Implementing web application firewalls (WAFs) with rules to detect and block SQL Injection attempts targeting IP header parameters can provide interim protection. Additionally, plugin developers and site administrators should adopt secure coding practices including the use of parameterized queries or prepared statements to prevent SQL Injection. Regular security audits and monitoring for unusual database queries or access patterns can help detect exploitation attempts early. Finally, educating administrators about the risks of trusting client-supplied headers for security decisions is critical to prevent similar vulnerabilities.