CVE-2025-10045 is a SQL Injection vulnerability identified in the onOffice for WP-Websites plugin for WordPress, versions up to and including 5.7. The flaw stems from improper neutralization of special elements in the 'order' parameter used within SQL queries. Specifically, the plugin fails to adequately escape or prepare the user-supplied 'order' parameter, allowing an authenticated attacker with Editor-level or higher privileges to append arbitrary SQL commands to existing queries. This can lead to unauthorized extraction of sensitive information from the underlying database. The vulnerability does not require user interaction but does require authenticated access with elevated privileges, limiting the attack surface to users who already have significant access rights. The CVSS v3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, and high confidentiality impact but no integrity or availability impact. No public exploits are currently known, and no patches have been linked yet. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Given the plugin’s use in WordPress environments, exploitation could compromise customer data, internal business information, or other sensitive records stored in the database. The lack of sufficient input sanitization indicates a need for improved secure coding practices in the plugin’s development.

For European organizations, the primary impact is unauthorized disclosure of sensitive data stored in WordPress databases using the onOffice plugin. This could include customer information, business intelligence, or proprietary data relevant to real estate or CRM operations. Since exploitation requires Editor-level access, the threat is mainly from insider threats or compromised accounts with elevated privileges. Data confidentiality is at risk, potentially leading to GDPR violations if personal data is exposed, resulting in regulatory fines and reputational damage. The integrity and availability of systems are not directly affected, reducing the risk of service disruption. However, the exposure of sensitive data could facilitate further attacks such as phishing or social engineering. Organizations relying on this plugin for critical business functions may face operational risks if data confidentiality is breached. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable by unauthenticated attackers, somewhat limiting its impact scope.

1. Immediately restrict Editor-level and higher privileges to trusted users only, implementing strict access controls and monitoring for suspicious activity. 2. Apply patches or updates from the onOffice vendor as soon as they become available to fix the SQL injection flaw. 3. In the absence of patches, consider temporarily disabling or removing the onOffice plugin to eliminate the attack vector. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious SQL injection attempts targeting the 'order' parameter. 5. Conduct regular audits of user privileges and database access logs to detect potential exploitation attempts. 6. Employ input validation and sanitization at the application level for all user-supplied parameters, especially those used in SQL queries. 7. Educate administrators and editors on the risks of privilege misuse and encourage strong password policies and multi-factor authentication to reduce account compromise risk. 8. Monitor threat intelligence feeds for any emerging exploits related to CVE-2025-10045 to respond promptly.