CVE-2025-10045 is an SQL Injection vulnerability identified in the onOffice for WP-Websites plugin, a WordPress plugin commonly used for real estate and property management websites. The vulnerability exists due to improper neutralization of special characters in the 'order' parameter used in SQL queries. Specifically, the plugin fails to sufficiently escape or prepare the user-supplied 'order' parameter before incorporating it into SQL commands. This allows an attacker with authenticated access at the Editor level or higher to append malicious SQL code to existing queries. Such injection can lead to unauthorized disclosure of sensitive information stored in the backend database, such as user data, property listings, or configuration details. The vulnerability does not affect availability or integrity directly but compromises confidentiality. Exploitation does not require user interaction but does require elevated privileges, limiting the attack surface to trusted users or compromised accounts. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No public exploits or patches are currently available, increasing the urgency for organizations to apply compensating controls or monitor for suspicious activity.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality. Attackers with Editor-level access can exfiltrate sensitive data from the database, potentially including personal data protected under GDPR, leading to regulatory and reputational damage. Real estate agencies, property managers, and other businesses using the onOffice plugin on WordPress sites are particularly vulnerable. The breach of confidential client or business data could result in financial loss, legal penalties, and erosion of customer trust. Since the vulnerability requires authenticated access, the risk is heightened if internal accounts are compromised or if privilege escalation occurs. Additionally, the lack of patches means organizations must rely on detection and mitigation until a fix is released. The impact is somewhat contained by the requirement for elevated privileges but remains significant given the sensitive nature of data handled by onOffice-powered sites.

1. Restrict Editor-level and higher privileges strictly to trusted personnel and regularly audit user roles and permissions to minimize the risk of account compromise. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'order' parameter in HTTP requests. 3. Monitor database query logs and application logs for unusual or unexpected SQL commands that could indicate exploitation attempts. 4. Employ network segmentation and least privilege principles to limit access to the WordPress backend and database servers. 5. Until an official patch is released, consider disabling or restricting the vulnerable functionality if feasible. 6. Educate administrators and editors on phishing and credential security to prevent account takeover. 7. Regularly back up databases and website data to enable recovery in case of data compromise. 8. Stay informed on vendor advisories for patch releases and apply updates promptly once available.