CVE-2025-10660 identifies a SQL Injection vulnerability in the WP Dashboard Chat plugin for WordPress, affecting all versions up to and including 1.0.3. The root cause is improper neutralization of special elements in the 'id' parameter used in SQL commands, specifically due to insufficient escaping and lack of prepared statements. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting additional SQL queries into existing database queries. This allows attackers to extract sensitive information from the database, compromising confidentiality. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 score is 6.5 (medium), reflecting the ease of exploitation (low attack complexity), the requirement for privileges (PR:L), and the high impact on confidentiality (C:H) but no impact on integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-89, a common and critical class of injection flaws. Given WordPress's widespread use, this vulnerability poses a notable risk to websites using this plugin, especially those with multiple contributors.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user information, configuration details, or other confidential content managed via the WP Dashboard Chat plugin. Since exploitation requires at least Contributor-level access, the risk is elevated in environments with multiple users or less restrictive access controls. Data breaches resulting from this vulnerability could lead to regulatory non-compliance under GDPR, reputational damage, and potential financial penalties. The lack of impact on integrity and availability limits the threat to data confidentiality, but the ability to extract sensitive information remains a critical concern. Organizations relying on WordPress for customer engagement or internal communication via this plugin are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the WP Dashboard Chat plugin and verify its version. Since no official patch links are available, temporary mitigations include restricting plugin access strictly to trusted users, reducing Contributor-level privileges where possible, and disabling or uninstalling the plugin if not essential. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter can provide additional protection. Organizations should also enforce strict input validation and sanitization at the application level if custom modifications are feasible. Monitoring database query logs for anomalous or unexpected queries can help detect exploitation attempts. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once available.