CVE-2025-10163 is a time-based SQL Injection vulnerability identified in the 'List category posts' WordPress plugin developed by fernandobt. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping and lack of prepared statements in handling the 'starting_with' parameter of the catlist shortcode. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting additional SQL queries appended to existing ones, enabling them to extract sensitive information from the WordPress database. The attack vector is network-based with no user interaction required, and the vulnerability does not affect data integrity or availability but compromises confidentiality. The plugin versions up to and including 0.91.0 are affected, with no patch currently available. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk due to the ease of exploitation and the potential exposure of sensitive data such as user credentials, site configuration, or other stored information. The CVSS v3.1 base score is 6.5, indicating medium severity, with attack vector Network (AV:N), low attack complexity (AC:L), privileges required Low (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N).

The primary impact of CVE-2025-10163 is unauthorized disclosure of sensitive information stored in the WordPress database, which could include user data, site configuration, or other confidential content. Since the vulnerability allows SQL Injection by authenticated users with Contributor-level access, attackers who have gained limited access to the site can escalate their capabilities to extract data beyond their privileges. This can lead to privacy violations, data breaches, and potential further exploitation if sensitive credentials or tokens are exposed. Although the vulnerability does not affect data integrity or availability, the confidentiality breach can undermine trust in the affected websites and lead to regulatory compliance issues, especially in regions with strict data protection laws. Organizations using the vulnerable plugin face risks of targeted attacks, especially if their WordPress installations are publicly accessible and have multiple contributors. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as proof-of-concept exploits could be developed and weaponized.

To mitigate CVE-2025-10163, organizations should immediately audit their WordPress installations for the presence of the 'List category posts' plugin and verify the version in use. Since no official patch is currently available, administrators should consider the following specific actions: 1) Temporarily disable or remove the vulnerable plugin until a patched version is released. 2) Restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of insider exploitation. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'starting_with' parameter in HTTP requests. 4) Monitor database query logs and web server logs for anomalous query patterns or unusual access attempts related to the catlist shortcode. 5) Encourage plugin developers or community to release an update that properly sanitizes inputs using parameterized queries or prepared statements. 6) Educate site administrators and contributors about the risks of SQL injection and the importance of least privilege principles. 7) Regularly back up WordPress databases to enable recovery in case of compromise. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and temporary plugin management.