CVE-2025-10144 identifies a time-based SQL Injection vulnerability in the Perfect Brands for WooCommerce plugin for WordPress, present in all versions up to and including 3.6.2. The vulnerability arises due to improper neutralization of special elements used in SQL commands (CWE-89), specifically in the handling of the 'brands' attribute within the 'products' shortcode. The plugin fails to adequately escape user-supplied input and does not use prepared statements or parameterized queries, allowing an authenticated attacker with Contributor-level or higher privileges to inject arbitrary SQL code. This injection can be exploited to append additional SQL queries to existing ones, enabling extraction of sensitive information from the underlying database through time-based blind SQL Injection techniques. The attack vector requires no user interaction beyond authentication, and the vulnerability affects the confidentiality of data but does not compromise integrity or availability. The CVSS 3.1 score of 6.5 reflects a medium severity, with network attack vector, low attack complexity, and privileges required but no user interaction. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk for data leakage in WooCommerce environments using this plugin. The lack of patch links suggests that a fix may not yet be available, increasing the urgency for mitigations.

For European organizations, this vulnerability poses a risk of unauthorized data disclosure from WooCommerce databases, potentially exposing customer information, product details, and other sensitive business data. Given WooCommerce's popularity among European e-commerce businesses, exploitation could lead to breaches of GDPR and other data protection regulations, resulting in legal and financial repercussions. The requirement for Contributor-level access limits the attack surface to insiders or compromised accounts, but many organizations grant such privileges to multiple users, increasing risk. The vulnerability does not directly affect system integrity or availability, but the confidentiality breach alone can damage brand reputation and customer trust. Attackers could leverage extracted data for further attacks or fraud. Organizations with large e-commerce operations or those handling sensitive customer data are particularly vulnerable. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks. Overall, the impact is significant for data confidentiality and regulatory compliance within the European context.

1. Immediately review and restrict Contributor-level access to trusted personnel only, minimizing the number of users who can exploit this vulnerability. 2. Monitor database query logs for unusual or time-delayed responses indicative of time-based SQL Injection attempts. 3. Implement Web Application Firewall (WAF) rules specifically targeting SQL Injection patterns on the 'brands' attribute and 'products' shortcode parameters. 4. Encourage the plugin vendor to release a patch; until then, consider disabling the Perfect Brands for WooCommerce plugin if feasible or replacing it with a secure alternative. 5. Employ database user permissions with least privilege, ensuring the WordPress database user has limited rights to reduce impact if exploited. 6. Conduct regular security audits and penetration testing focusing on WordPress plugins and custom code. 7. Educate administrators and content contributors about the risks of SQL Injection and the importance of secure coding and input validation. 8. Keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities.