CVE-2025-10212 is a vulnerability classified under CWE-862 (Missing Authorization) found in the SiteAlert WordPress plugin, previously known as WP Health. The issue stems from the absence of proper capability checks on several functions within the plugin, which are intended to restrict access to site health data. Because these authorization checks are missing, unauthenticated users can invoke these functions remotely and retrieve sensitive information about the WordPress environment. This includes a list of installed plugins, their update status, the PHP version, and the database version in use. Such information disclosure can provide attackers with valuable reconnaissance data to identify potential weaknesses or outdated components for exploitation. The vulnerability affects all versions of the plugin up to and including 1.9.8. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation (no authentication or user interaction required) but limited impact confined to confidentiality loss without integrity or availability compromise. No patches or fixes are currently linked, and no active exploits have been reported. The vulnerability was publicly disclosed on October 3, 2025, with the issue reserved on September 10, 2025, by Wordfence. Organizations running this plugin should assess exposure and implement mitigations promptly.

The primary impact of CVE-2025-10212 is unauthorized disclosure of sensitive site health information. Attackers gaining access to details about installed and outdated plugins, PHP, and database versions can leverage this intelligence to identify vulnerable components and plan targeted attacks such as plugin exploits, privilege escalation, or server compromise. While the vulnerability does not allow direct modification or denial of service, the information leakage significantly lowers the attacker's effort and increases the risk of subsequent exploitation. For organizations, this can lead to increased risk of data breaches, website defacement, or malware injection if attackers exploit other vulnerabilities identified through the disclosed information. The impact is particularly critical for high-profile websites, e-commerce platforms, and sites handling sensitive user data, where attackers can use reconnaissance to bypass security controls. The absence of authentication requirements and the ability to exploit remotely heighten the risk, especially for sites with public-facing WordPress installations using the affected plugin.

To mitigate CVE-2025-10212, organizations should first verify if they are using the SiteAlert (formerly WP Health) plugin and identify the version in use. Since no official patch links are currently available, immediate mitigation steps include: 1) Temporarily disabling or uninstalling the plugin until a security update is released; 2) Restricting access to the WordPress admin and plugin endpoints via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the plugin's functions; 3) Implementing strict IP whitelisting or VPN access for administrative interfaces to reduce exposure; 4) Monitoring web server logs for unusual requests to plugin endpoints that may indicate exploitation attempts; 5) Keeping all WordPress core, themes, and other plugins updated to reduce the overall attack surface; 6) Following vendor announcements closely for patches or updates addressing this vulnerability and applying them promptly once available. Additionally, security teams should conduct regular vulnerability assessments and penetration tests to detect similar authorization issues.