CVE-2025-10660 identifies a SQL Injection vulnerability in the WP Dashboard Chat plugin for WordPress, specifically in all versions up to and including 1.0.3. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), where the 'id' parameter is not sufficiently escaped or prepared before being incorporated into SQL queries. This flaw enables authenticated attackers with Contributor-level privileges or higher to append arbitrary SQL commands to existing queries. Exploiting this vulnerability can lead to unauthorized disclosure of sensitive information stored in the WordPress database, such as user credentials, personal data, or site configuration details. The CVSS 3.1 score of 6.5 reflects a medium severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability's presence in a widely used CMS plugin makes it a credible threat. The vulnerability was reserved in September 2025 and published in October 2025 by Wordfence. The plugin’s widespread use in WordPress sites, combined with the ease of exploitation by authenticated users, underscores the need for prompt remediation.

For European organizations, this vulnerability poses a risk of unauthorized data disclosure from WordPress sites using the WP Dashboard Chat plugin. Attackers with Contributor-level access can exploit the flaw to extract sensitive database information, potentially leading to privacy breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since WordPress powers a significant portion of websites across Europe, including corporate, governmental, and e-commerce platforms, the impact can be substantial if exploited. The vulnerability does not affect data integrity or availability directly but compromises confidentiality, which can cascade into further attacks or data misuse. Organizations relying on Contributor roles for content management should be particularly cautious, as these users can become vectors for exploitation. The absence of known exploits in the wild provides a window for proactive mitigation, but the medium severity and ease of exploitation warrant immediate attention.

European organizations should take the following specific actions: 1) Immediately audit WordPress sites to identify installations of the WP Dashboard Chat plugin and verify the version in use. 2) Restrict Contributor-level user privileges where possible, limiting access to trusted personnel only. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter in plugin requests. 4) Employ input validation and sanitization at the application level, especially for parameters that interact with SQL queries. 5) Monitor database query logs for unusual or unauthorized query patterns indicative of injection attempts. 6) Engage with the plugin vendor or community to obtain or develop patches or updates addressing this vulnerability. 7) Consider temporarily disabling the plugin if immediate patching is not feasible. 8) Educate site administrators and developers about the risks of SQL injection and the importance of least privilege principles. These steps go beyond generic advice by focusing on access control, monitoring, and proactive detection tailored to this specific vulnerability.