CVE-2025-10582 identifies a critical SQL Injection vulnerability in the WP Dispatcher plugin for WordPress, versions up to and including 1.2.0. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping and lack of prepared statements on the 'id' parameter. Authenticated attackers with Contributor-level or higher privileges can exploit this flaw by injecting additional SQL queries appended to legitimate queries. This can lead to unauthorized access to sensitive database contents, including user data, credentials, or site configuration. The vulnerability requires no user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score of 8.8 reflects the ease of exploitation (low attack complexity), the requirement for privileges (low), and the high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant threat to WordPress sites using this plugin. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

The impact of CVE-2025-10582 is substantial for organizations running WordPress sites with the WP Dispatcher plugin installed. Successful exploitation can lead to unauthorized disclosure of sensitive information stored in the backend database, including user credentials, personal data, and site configuration details. Attackers may also manipulate or delete data, disrupting site integrity and availability. This can result in data breaches, loss of customer trust, regulatory penalties, and operational downtime. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or weak credentials to escalate their impact. The widespread use of WordPress globally, combined with the plugin's presence, means many organizations, especially those relying on this plugin for content dispatching, are at risk. The vulnerability could also be leveraged as a foothold for further attacks within the network.

1. Immediate mitigation should focus on restricting Contributor-level user privileges and auditing existing user accounts to ensure no unauthorized users have elevated access. 2. Disable or uninstall the WP Dispatcher plugin until a vendor patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'id' parameter in plugin-related requests. 4. Monitor database logs for unusual query patterns that may indicate exploitation attempts. 5. Encourage the vendor to release a patch that properly uses parameterized queries or prepared statements to sanitize user input. 6. Regularly update WordPress core and all plugins to their latest versions to reduce exposure to known vulnerabilities. 7. Employ database user accounts with least privilege, limiting the plugin's database permissions to minimize potential damage. 8. Conduct security awareness training for administrators and content contributors about the risks of privilege misuse and credential compromise.