CVE-2025-10175 identifies a SQL Injection vulnerability in the WP Links Page plugin for WordPress, specifically affecting all versions up to and including 4.9.6. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping of the 'id' parameter supplied by users. This parameter is incorporated into SQL queries without adequate preparation or parameterization, allowing attackers with authenticated access at the Subscriber level or above to append arbitrary SQL commands. Exploiting this flaw, an attacker can extract sensitive information from the underlying database, compromising confidentiality without affecting integrity or availability. The vulnerability does not require user interaction and can be exploited remotely over the network, with low attack complexity. While no public exploits have been reported yet, the risk remains significant given the widespread use of WordPress and the plugin’s presence. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates a network attack vector, low complexity, requiring privileges but no user interaction, with a high impact on confidentiality. The lack of a patch at the time of reporting necessitates immediate mitigation efforts by site administrators.

For European organizations, this vulnerability poses a considerable risk to the confidentiality of sensitive data stored in WordPress databases, including user information, business data, and potentially payment details if stored. Exploitation could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. Since the vulnerability requires only Subscriber-level access, attackers could leverage compromised or weak user credentials to escalate their impact. The absence of known exploits currently limits immediate widespread damage, but the potential for targeted attacks against European businesses using this plugin is high. Organizations relying on WordPress for e-commerce, content management, or customer engagement are particularly vulnerable. The impact is amplified in sectors with strict data protection requirements, such as finance, healthcare, and government.

1. Immediately audit WordPress installations to identify the presence of the WP Links Page plugin and its version. 2. Disable or remove the plugin if it is not essential to reduce the attack surface. 3. If the plugin is required, restrict user roles to minimize Subscriber-level access or implement stricter access controls and monitoring. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter. 5. Monitor database logs and application logs for unusual query patterns indicative of injection attempts. 6. Regularly update WordPress core and plugins once a patch is released by the vendor. 7. Implement database user permissions with the principle of least privilege to limit data exposure in case of exploitation. 8. Educate administrators and users about credential security to prevent unauthorized access. 9. Consider deploying runtime application self-protection (RASP) tools to detect and block injection attacks dynamically.