CVE-2025-10175 is a SQL Injection vulnerability classified under CWE-89 that affects the WP Links Page plugin for WordPress, versions up to and including 4.9.6. The vulnerability arises from improper neutralization of special elements in the 'id' parameter used within SQL commands. Specifically, the plugin fails to properly escape user-supplied input and does not use prepared statements or parameterized queries, allowing an authenticated attacker with Subscriber-level access or higher to inject additional SQL commands. This injection can be appended to existing queries, enabling the attacker to extract sensitive information from the underlying database. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the high confidentiality impact but no impact on integrity or availability. The attack complexity is low, and privileges required are low (authenticated Subscriber). No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient input validation and the importance of using prepared statements in WordPress plugin development. Organizations using this plugin should be aware of the risk of data leakage and take immediate steps to mitigate it.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored in WordPress databases, including user information, configuration details, and potentially other confidential content. Since the vulnerability requires only Subscriber-level authentication, it lowers the barrier for exploitation, especially on sites with open registration or weak access controls. Data breaches resulting from this vulnerability could lead to regulatory non-compliance under GDPR, reputational damage, and financial penalties. The lack of impact on integrity and availability means attackers cannot modify or disrupt data but can silently exfiltrate it, making detection more difficult. Organizations relying on the WP Links Page plugin for critical or customer-facing websites are at risk of targeted attacks aiming to harvest user data or internal information. This risk is amplified in sectors with high data sensitivity such as finance, healthcare, and government. Additionally, the widespread use of WordPress in Europe, particularly in countries with large digital economies, increases the potential attack surface.

1. Immediately audit all WordPress sites for the presence of the WP Links Page plugin and identify versions up to 4.9.6. 2. Apply vendor patches or updates as soon as they become available; if no patch exists yet, consider temporarily disabling or removing the plugin. 3. Restrict Subscriber-level privileges to trusted users only and review user registration policies to limit unauthorized account creation. 4. Implement Web Application Firewalls (WAF) with SQL Injection detection and prevention rules tailored to WordPress environments to block malicious payloads targeting the 'id' parameter. 5. Enable detailed logging and monitoring of database queries and access patterns to detect anomalous activity indicative of SQL Injection attempts. 6. Employ database user accounts with least privilege, ensuring WordPress database users cannot perform unauthorized queries or access unrelated data. 7. Educate site administrators on secure plugin management and the risks of outdated or vulnerable plugins. 8. Consider using security plugins that perform input sanitization and vulnerability scanning to identify similar issues proactively.