The vulnerability identified as CVE-2025-10163 affects the 'List category posts' WordPress plugin developed by fernandobt, specifically versions up to and including 0.91.0. The flaw is a time-based SQL Injection (CWE-89) occurring via the 'starting_with' parameter in the catlist shortcode. This parameter is insufficiently escaped and the SQL queries are not properly prepared, allowing an authenticated attacker with Contributor-level access or higher to append arbitrary SQL commands to existing queries. This can be exploited to extract sensitive information from the WordPress database, such as user data or site configuration details. The attack vector requires network access (remote) and low attack complexity, with no user interaction needed beyond authentication. The vulnerability impacts confidentiality but does not affect integrity or availability. No patches are currently available, and no known exploits have been reported in the wild. The CVSS v3.1 score is 6.5 (medium severity), reflecting the moderate risk posed by this vulnerability given the required privileges and the potential data exposure.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of data stored in WordPress databases. Organizations using the 'List category posts' plugin on their WordPress sites could have sensitive information exposed if an attacker with Contributor-level access exploits the flaw. This could include personal data of customers or employees, internal content, or configuration details, potentially leading to privacy violations under GDPR. While the vulnerability does not allow data modification or service disruption, the unauthorized disclosure of sensitive data can damage reputation, lead to regulatory penalties, and facilitate further attacks. Organizations with multiple contributors or less restrictive access controls are at higher risk. Given the widespread use of WordPress in Europe, especially in sectors like media, education, and small to medium enterprises, the impact could be significant if not addressed promptly.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting Contributor-level access strictly to trusted users and auditing existing user privileges. Administrators should disable or remove the 'List category posts' plugin if it is not essential. For sites that must continue using the plugin, applying custom input validation to sanitize the 'starting_with' parameter is critical. Implementing Web Application Firewall (WAF) rules to detect and block SQL Injection patterns targeting this parameter can provide additional protection. Monitoring logs for suspicious query patterns or unusual database access is recommended. Once a patch is released, organizations should prioritize updating the plugin to the fixed version. Regular security assessments and user privilege reviews will help reduce the attack surface.