CVE-2025-10289 is a SQL Injection vulnerability categorized under CWE-89, found in the Filter & Grids plugin developed by wssoffice21 for WordPress. The flaw exists in all versions up to and including 3.2.0, where the 'phrase' parameter is insufficiently escaped and the SQL queries are not properly prepared or parameterized. This allows an unauthenticated attacker to append arbitrary SQL commands to existing queries, enabling unauthorized data extraction from the backend database. The vulnerability is specific to MariaDB environments because the injected queries cause syntax errors on MySQL, preventing exploitation there. The attack vector is network-based with no privileges or user interaction required, but the complexity of exploitation is rated high due to the need to craft precise injection payloads that work only on MariaDB. The CVSS v3.1 base score is 5.9 (medium), reflecting the high confidentiality impact but no impact on integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of improper input sanitization and the importance of using prepared statements in SQL queries within WordPress plugins.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress site's database, such as user credentials, personal data, or configuration details. Since the vulnerability allows data extraction without authentication, attackers can leverage it to gather intelligence for further attacks or data breaches. The limitation to MariaDB reduces the overall affected population but still poses a significant threat to sites using this database backend. The integrity and availability of the system are not directly affected, but the confidentiality breach can lead to reputational damage, regulatory penalties, and loss of user trust. Organizations relying on the Filter & Grids plugin with MariaDB databases are at risk of targeted data exfiltration attacks, especially if they have not implemented additional security controls or input validation.

1. Immediately monitor for updates or patches from the wssoffice21 vendor and apply them as soon as they become available. 2. Until a patch is released, implement Web Application Firewall (WAF) rules specifically targeting suspicious SQL injection patterns in the 'phrase' parameter to block exploitation attempts. 3. Review and harden database permissions to ensure the WordPress database user has the least privileges necessary, limiting data exposure if exploited. 4. Modify the plugin's source code (if feasible) to use prepared statements with parameterized queries for all database interactions involving user input. 5. Employ input validation and sanitization on the 'phrase' parameter to reject or escape potentially malicious characters before query execution. 6. Conduct regular security audits and vulnerability scans focusing on SQL injection vectors in WordPress plugins. 7. Educate site administrators about the risks of using outdated or unpatched plugins and encourage timely updates. 8. Consider migrating from MariaDB to MySQL if feasible, as the vulnerability does not exploit MySQL due to syntax errors, though this is a more complex mitigation.