CVE-2025-10635 is a SQL Injection vulnerability identified in the 'Find Me On' WordPress plugin versions through 2.0.9.1. The root cause is the plugin's failure to sanitize and escape a specific parameter before embedding it into an SQL statement. This improper input handling allows authenticated users with subscriber or higher privileges to inject malicious SQL code. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates that the attack can be launched remotely with low attack complexity, requires privileges (subscriber or above), no user interaction, and results in a confidentiality breach with scope change. Exploitation could allow attackers to extract sensitive information from the database, potentially exposing user data or site configuration details. Although no public exploits are currently known, the vulnerability's characteristics make it a significant risk for affected WordPress sites. The lack of available patches at the time of publication increases the urgency for mitigation. The vulnerability falls under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and critical web application security issue.

The primary impact of CVE-2025-10635 is the unauthorized disclosure of sensitive data stored in the WordPress site's database. Attackers with subscriber-level access can exploit the SQL Injection flaw to extract confidential information such as user credentials, personal data, or site configuration details. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach can lead to further attacks, including privilege escalation or targeted phishing. Organizations running WordPress sites with the 'Find Me On' plugin are at risk of data leakage, which can damage reputation, violate privacy regulations, and result in financial penalties. The vulnerability's ease of exploitation and remote attack vector increase the likelihood of exploitation attempts, especially in environments with many subscribers or contributors. The absence of known exploits in the wild currently limits immediate widespread impact, but the potential for rapid weaponization exists once exploit code becomes available.

To mitigate CVE-2025-10635, organizations should immediately upgrade the 'Find Me On' plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider temporarily disabling the plugin to eliminate the attack surface. Additionally, restricting subscriber-level permissions to only trusted users can reduce risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable parameter can provide interim protection. Regularly auditing user roles and monitoring database query logs for suspicious activity can help detect exploitation attempts. Developers maintaining the plugin should apply secure coding practices by properly sanitizing and escaping all user inputs before SQL query construction, preferably using parameterized queries or prepared statements. Finally, organizations should ensure that WordPress core and all plugins are kept up to date and conduct periodic security assessments to identify similar vulnerabilities.