CVE-2025-10660 identifies a SQL Injection vulnerability in the WP Dashboard Chat plugin for WordPress, affecting all versions up to 1.0.3. The flaw arises from improper neutralization of special characters in the ‘id’ parameter used within SQL queries. Specifically, the plugin fails to adequately escape or prepare user-supplied input before incorporating it into database commands. This deficiency enables authenticated attackers with Contributor-level or higher privileges to append arbitrary SQL code to existing queries. As a result, attackers can extract sensitive information from the WordPress database, such as user credentials, personal data, or configuration details. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score of 6.5 reflects a medium severity, primarily due to the need for authenticated access and the absence of impact on integrity or availability. No public exploits have been reported, but the vulnerability poses a credible threat given the widespread use of WordPress and the plugin’s presence in many installations. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability presents a significant risk to the confidentiality of sensitive data stored within WordPress databases. Many European businesses and public sector entities rely on WordPress for their websites and internal portals, often using plugins like WP Dashboard Chat for enhanced functionality. Exploitation could lead to unauthorized disclosure of personal data, potentially violating GDPR and other data protection regulations, resulting in legal and financial repercussions. Although the vulnerability requires authenticated access, Contributor-level permissions are commonly granted to content editors or third-party collaborators, increasing the attack surface. The absence of integrity or availability impact limits the scope to data leakage, but the sensitivity of exposed information could be substantial. Organizations operating in sectors such as finance, healthcare, and government are particularly vulnerable due to the critical nature of their data. The medium severity rating suggests prioritizing remediation but not immediate emergency response unless combined with other threats.

1. Immediately audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access, minimizing the number of accounts that can exploit this vulnerability. 2. Implement strict input validation and sanitization on the ‘id’ parameter at the application level, using prepared statements or parameterized queries to prevent SQL injection. 3. Monitor database logs and web application logs for unusual or suspicious SQL query patterns that may indicate exploitation attempts. 4. If possible, disable or remove the WP Dashboard Chat plugin until a vendor patch or update is released. 5. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting WordPress plugins. 6. Regularly update WordPress core and all plugins to their latest versions to benefit from security fixes. 7. Educate administrators and developers about the risks of SQL injection and the importance of secure coding practices. 8. Consider network segmentation and database access controls to limit the impact of any successful exploitation.