CVE-2025-10045 is a SQL Injection vulnerability classified under CWE-89 found in the onOffice for WP-Websites plugin for WordPress, affecting all versions up to and including 5.7. The vulnerability stems from insufficient escaping and lack of prepared statements when handling the 'order' parameter in SQL queries. This parameter is user-supplied and can be manipulated by authenticated users with Editor-level access or higher. By injecting malicious SQL code into this parameter, attackers can append additional queries to extract sensitive information from the underlying database. The vulnerability does not require user interaction but does require elevated privileges, limiting exploitation to users who already have some level of trust within the WordPress environment. The CVSS v3.1 base score is 4.9, reflecting a medium severity due to the network attack vector, low attack complexity, and high privileges required. The impact is primarily on confidentiality, with no direct effect on integrity or availability. No public exploits have been reported to date, but the vulnerability is published and known to the security community. The lack of patches at the time of reporting means affected sites remain at risk until updates or mitigations are applied.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user information, configuration details, or proprietary content managed by the onOffice plugin. Since exploitation requires Editor-level access, the threat is significant in environments where multiple users have elevated privileges or where credentials may be compromised. Attackers could leverage this vulnerability to gain insights into database structure or extract confidential data, potentially leading to further attacks or data breaches. Although the vulnerability does not affect data integrity or availability directly, the exposure of sensitive information can have serious consequences including reputational damage, regulatory penalties, and loss of customer trust. Organizations running WordPress sites with this plugin are at risk, especially those in real estate or related sectors where onOffice is commonly used. The medium severity score reflects the balance between the required privilege level and the potential data exposure.

To mitigate this vulnerability, organizations should immediately upgrade the onOffice for WP-Websites plugin to a version that addresses the SQL Injection flaw once available. In the absence of an official patch, administrators should restrict Editor-level access to trusted users only and audit existing user privileges to minimize risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'order' parameter can provide temporary protection. Additionally, site owners should enable database query logging to monitor for anomalous queries indicative of exploitation attempts. Developers maintaining custom integrations should refactor code to use parameterized queries or prepared statements for all database interactions involving user input. Regular security assessments and penetration testing focused on privilege escalation and injection flaws will help identify residual risks. Finally, maintaining strong credential hygiene and multi-factor authentication for privileged accounts will reduce the likelihood of attacker access.