CVE-2025-10175 identifies a SQL Injection vulnerability in the WP Links Page plugin for WordPress, specifically affecting all versions up to and including 4.9.6. The root cause is insufficient escaping and lack of prepared statements when handling the 'id' parameter in SQL queries. This flaw allows authenticated attackers with Subscriber-level privileges or higher to append arbitrary SQL commands to existing queries. Because WordPress Subscriber accounts are relatively low-privilege, this broadens the attack surface significantly compared to vulnerabilities requiring administrator access. The injection can be used to extract sensitive information from the backend database, such as user data or configuration details, compromising confidentiality. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No patches or exploits are currently publicly known, but the vulnerability is published and should be treated as a credible risk. The plugin’s widespread use in WordPress sites makes this a relevant threat vector for many organizations relying on this plugin for link management.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or site configuration details. Since the attacker needs only Subscriber-level access, which is commonly granted to registered users or commenters, the risk of exploitation is elevated compared to vulnerabilities requiring higher privileges. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can facilitate further attacks such as privilege escalation, phishing, or targeted exploitation. Organizations running WordPress sites with the WP Links Page plugin are at risk of data leakage, reputational damage, and potential compliance violations related to data protection regulations. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge. The vulnerability’s network accessibility means remote attackers can exploit it without physical access, increasing its threat scope globally.

Immediate mitigation should focus on restricting Subscriber-level access to trusted users only and auditing existing user accounts for suspicious activity. Site administrators should disable or remove the WP Links Page plugin until an official patch is released. If disabling the plugin is not feasible, implementing a Web Application Firewall (WAF) with custom rules to detect and block SQL injection patterns targeting the 'id' parameter can reduce risk. Developers or site maintainers can apply manual code hardening by enforcing prepared statements or parameterized queries for the vulnerable SQL calls, ensuring proper input validation and escaping. Regularly monitoring logs for unusual database query patterns or error messages can help detect attempted exploitation. Finally, keeping WordPress core and all plugins updated, subscribing to vulnerability advisories, and preparing for prompt patch application once available are essential best practices.