CVE-2025-10212 is a medium-severity vulnerability affecting the SiteAlert (formerly WP Health) WordPress plugin, versions up to and including 1.9.8. The vulnerability arises from a missing authorization check (CWE-862) on multiple functions within the plugin, allowing unauthenticated attackers to access sensitive site health information. Specifically, attackers can retrieve details such as the list of installed and outdated plugins, PHP version, and database version without any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it relatively easy to exploit. However, the impact is limited to confidentiality as the attacker gains read-only access to information that could aid in further attacks but does not allow modification or disruption of the site. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could be leveraged by attackers to perform reconnaissance on WordPress sites using this plugin, potentially identifying outdated components or misconfigurations that could be exploited in subsequent attacks.

For European organizations, this vulnerability poses a moderate risk primarily related to information disclosure. Attackers gaining access to detailed site health data can identify outdated or vulnerable plugins and software versions, which may facilitate targeted attacks such as privilege escalation, code injection, or ransomware deployment. Organizations in sectors with high regulatory requirements (e.g., finance, healthcare, government) could face compliance risks if sensitive infrastructure details are exposed. Although the vulnerability does not allow direct modification or service disruption, the leaked information could be a stepping stone in multi-stage attacks. Additionally, organizations with public-facing WordPress sites using the SiteAlert plugin may experience reputational damage if attackers exploit this vulnerability to gather intelligence. The risk is heightened for entities that do not regularly update or audit their WordPress plugins and configurations.

European organizations should immediately audit their WordPress installations to determine if the SiteAlert (formerly WP Health) plugin is in use, particularly versions up to 1.9.8. If present, organizations should prioritize upgrading to a patched version once available or consider temporarily disabling the plugin to prevent unauthorized data access. In the absence of an official patch, applying custom access controls at the web server or application firewall level to restrict access to the plugin’s endpoints can mitigate exposure. Implementing strict role-based access controls within WordPress to limit plugin visibility and usage is recommended. Regularly monitoring web server logs for suspicious requests targeting SiteAlert endpoints can help detect exploitation attempts. Furthermore, organizations should maintain an up-to-date inventory of WordPress plugins and enforce timely updates to reduce exposure to similar vulnerabilities. Employing a Web Application Firewall (WAF) with rules to block unauthenticated access to sensitive plugin functions can provide an additional layer of defense.