CVE-2025-10310 is an SQL Injection vulnerability identified in the 'Rich Snippet Site Report' WordPress plugin developed by jayce53. This vulnerability exists in all versions up to and including 2.0.0105 due to insufficient sanitization and escaping of the 'last' parameter in SQL queries. The plugin fails to properly prepare SQL statements, allowing attackers to append malicious SQL code to existing queries. This improper neutralization of special elements used in SQL commands (CWE-89) enables unauthenticated attackers to execute arbitrary SQL queries against the backend database. The vulnerability can be exploited remotely without user interaction, although it requires some level of privileges (PR:H) on the WordPress site. Additionally, Cross-Site Request Forgery (CSRF) can be leveraged to trigger the injection. The impact primarily concerns confidentiality, as attackers can extract sensitive data from the database, but integrity and availability are not directly affected. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved on September 11, 2025, and published on October 15, 2025. The CVSS v3.1 base score is 4.9, reflecting medium severity with network attack vector, low attack complexity, and no user interaction required.

The primary impact of CVE-2025-10310 is unauthorized disclosure of sensitive information stored in the WordPress site's database. Attackers exploiting this vulnerability can extract confidential data such as user credentials, personal information, or site configuration details, potentially leading to further compromise or data breaches. Since the vulnerability does not affect data integrity or availability, it is less likely to cause site defacement or denial of service. However, the ability to perform SQL Injection without authentication increases the risk profile, especially for sites with privileged users or sensitive data. Organizations relying on the Rich Snippet Site Report plugin may face reputational damage, regulatory penalties, and loss of customer trust if exploited. The lack of patches increases exposure time, and the possibility of CSRF exploitation broadens the attack surface. Given WordPress's global popularity, the vulnerability could affect a wide range of industries and regions, particularly those with high WordPress usage and reliance on SEO and snippet reporting tools.

1. Immediate mitigation involves disabling or uninstalling the Rich Snippet Site Report plugin until an official patch is released. 2. Restrict access to the WordPress admin panel and plugin settings to trusted users only, minimizing privilege exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'last' parameter. 4. Employ strict Content Security Policy (CSP) and anti-CSRF tokens to reduce the risk of CSRF exploitation. 5. Regularly monitor server and application logs for unusual query patterns or repeated access attempts to the vulnerable parameter. 6. Keep WordPress core, themes, and other plugins updated to reduce overall attack surface. 7. Once a patch is available, apply it promptly and verify the fix through security testing. 8. Conduct database access audits and consider encrypting sensitive data at rest to limit exposure in case of compromise. 9. Educate site administrators about the risks of installing unverified plugins and encourage minimal plugin usage.