CVE-2025-10144 is a SQL Injection vulnerability classified under CWE-89 affecting the Perfect Brands for WooCommerce plugin for WordPress. The vulnerability arises from improper neutralization of special elements in SQL commands, specifically due to insufficient escaping and lack of prepared statements on the 'brands' attribute in the 'products' shortcode. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting time-based SQL payloads, allowing them to append arbitrary SQL queries to existing database queries. This can lead to unauthorized extraction of sensitive data from the backend database. The vulnerability does not require user interaction but does require authentication, limiting the attack surface to users with some level of access. The CVSS v3.1 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and high confidentiality impact, but no impact on integrity or availability. No known public exploits have been reported, and no official patches have been linked yet. The vulnerability affects all versions up to and including 3.6.2 of the plugin, which is widely used in WooCommerce-based WordPress e-commerce sites.

This vulnerability can lead to unauthorized disclosure of sensitive information stored in the WordPress site's database, including potentially customer data, product details, or administrative information. Since the attack requires authenticated access at Contributor level or above, the risk is primarily from insider threats or compromised accounts with elevated privileges. Exploitation could facilitate further attacks, such as privilege escalation or data exfiltration, undermining customer trust and violating data protection regulations. The impact is significant for e-commerce businesses relying on WooCommerce and this plugin, as data breaches can lead to financial loss, reputational damage, and legal consequences. The vulnerability does not directly affect system integrity or availability, but the confidentiality breach alone is critical for organizations handling sensitive customer or business data.

Organizations should immediately restrict Contributor-level access to trusted users only and monitor for suspicious activity involving the 'products' shortcode usage. Applying the principle of least privilege can reduce the risk of exploitation. Since no official patch is currently available, administrators should consider temporarily disabling the Perfect Brands for WooCommerce plugin or removing the vulnerable shortcode from site content. Implementing Web Application Firewall (WAF) rules to detect and block SQL Injection patterns targeting the 'brands' attribute can provide interim protection. Additionally, site owners should ensure regular backups and monitor logs for anomalous database query patterns. Once a patch is released, prompt updating of the plugin is critical. Developers should also review and refactor the plugin code to use parameterized queries and proper input validation to prevent similar vulnerabilities.