The Rich Snippet Site Report plugin for WordPress, developed by jayce53, contains a SQL Injection vulnerability identified as CVE-2025-10310. This vulnerability is due to improper neutralization of special elements in SQL commands (CWE-89), specifically through the 'last' parameter, which is insufficiently escaped and improperly prepared in SQL queries. This flaw allows unauthenticated attackers to append arbitrary SQL commands to existing queries, potentially extracting sensitive information from the backend database. The vulnerability can be exploited remotely over the network without user interaction but requires the attacker to have some level of privileges (PR:H), indicating that some form of authentication or elevated access is needed. Additionally, the vulnerability can be triggered via Cross-Site Request Forgery (CSRF), increasing the attack surface. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches have been published yet, and no known exploits are currently in the wild. Given the plugin's role in generating rich snippet reports, the database likely contains SEO-related metadata and possibly user or site analytics data, which could be exposed. The vulnerability affects all versions up to and including 2.0.0105, implying that any unpatched installation remains vulnerable.

For European organizations, this vulnerability poses a significant risk of sensitive data exposure from WordPress sites using the Rich Snippet Site Report plugin. The extracted data could include SEO metadata, user analytics, or other confidential site information, potentially aiding further attacks or data breaches. Organizations relying on WordPress for e-commerce, media, or corporate websites may face reputational damage and compliance issues under GDPR if personal data is leaked. Since exploitation requires some privileges, insider threats or compromised accounts could escalate the risk. The CSRF vector also means that attackers could trick authenticated users into triggering the exploit, broadening the threat scope. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone can have serious consequences, including competitive disadvantage and regulatory penalties. The lack of public exploits reduces immediate risk but also means organizations must proactively address the vulnerability before attackers develop exploits.

1. Monitor for and apply official patches from the plugin developer as soon as they become available. 2. Until patches are released, disable or uninstall the Rich Snippet Site Report plugin if it is not essential. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'last' parameter, including typical SQL injection payloads and CSRF attack vectors. 4. Enforce strict access controls and limit privileges for WordPress users to reduce the risk of exploitation requiring high privileges. 5. Conduct regular security audits and vulnerability scans on WordPress installations to identify vulnerable plugins. 6. Educate users about CSRF risks and implement anti-CSRF tokens in web forms to mitigate CSRF exploitation. 7. Monitor logs for unusual database query patterns or unauthorized access attempts related to the plugin. 8. Consider isolating WordPress databases and restricting database user permissions to minimize data exposure in case of injection.