CVE-2025-10289 identifies a SQL Injection vulnerability in the Filter & Grids plugin for WordPress, developed by wssoffice21, affecting all versions up to 3.2.0. The vulnerability stems from improper neutralization of special elements in the 'phrase' parameter, which is directly incorporated into SQL queries without sufficient escaping or parameterization. This allows unauthenticated attackers to append arbitrary SQL commands to existing queries, enabling extraction of sensitive data from the underlying database. The issue specifically affects MariaDB databases because the crafted injection payloads cause syntax errors on MySQL, preventing exploitation on that platform. The vulnerability does not require user authentication or interaction but has a high attack complexity due to the need to craft precise injection payloads. The CVSS 3.1 score is 5.9 (medium severity), reflecting the high confidentiality impact but no impact on integrity or availability. No public exploits have been reported to date. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Since the plugin is widely used in WordPress environments, especially those leveraging MariaDB, this vulnerability poses a significant risk of data leakage if exploited. The lack of patches at the time of reporting necessitates immediate mitigation through compensating controls.

For European organizations, the primary impact is unauthorized disclosure of sensitive information stored in WordPress databases using the Filter & Grids plugin with MariaDB backends. This could include user data, configuration details, or other confidential content, potentially leading to privacy violations under GDPR and reputational damage. The vulnerability does not allow modification or deletion of data, nor does it cause denial of service, limiting the scope to confidentiality breaches. Organizations with public-facing WordPress sites are particularly vulnerable as the exploit requires no authentication. The medium severity rating suggests a moderate risk, but the potential regulatory and compliance consequences in Europe elevate the importance of addressing this issue promptly. Attackers could leverage this vulnerability to gather intelligence for further attacks or social engineering campaigns. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation.

1. Monitor wssoffice21 and WordPress plugin repositories for official patches and apply them immediately upon release. 2. Until patches are available, restrict database user permissions to the minimum necessary, avoiding excessive read privileges that could be exploited. 3. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'phrase' parameter. 4. Conduct code reviews or audits of the Filter & Grids plugin usage to identify and isolate vulnerable endpoints. 5. Employ database activity monitoring to detect anomalous query patterns indicative of injection attempts. 6. Consider migrating from MariaDB to MySQL if feasible, as the vulnerability does not exploit MySQL due to syntax errors. 7. Educate development and security teams about the risks of SQL injection and the importance of parameterized queries and input validation. 8. Regularly back up WordPress databases and configurations to enable recovery in case of compromise.