CVE-2025-10660 is an SQL Injection vulnerability identified in the WP Dashboard Chat plugin for WordPress, affecting all versions up to and including 1.0.3. The root cause is insufficient escaping and lack of prepared statements for the 'id' parameter in SQL queries. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting malicious SQL code through the 'id' parameter, which is concatenated directly into SQL statements without proper sanitization. This allows attackers to append additional SQL commands to existing queries, enabling unauthorized extraction of sensitive data from the WordPress database. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and required privileges. While no active exploits have been reported, the vulnerability poses a significant risk to confidentiality, as attackers can access data beyond their authorization level. The issue stems from CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). The plugin developer has not yet released a patch, and no mitigation links are available at this time.

The primary impact of CVE-2025-10660 is the unauthorized disclosure of sensitive information stored in the WordPress database. Attackers with Contributor or higher privileges can leverage this vulnerability to extract data such as user credentials, personal information, or site configuration details, potentially leading to further compromise or privacy violations. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can have severe consequences including data leakage, compliance violations, and reputational damage. Organizations running WordPress sites with the WP Dashboard Chat plugin are at risk, especially those with multiple contributors or less restrictive access controls. The medium severity rating indicates a moderate but tangible threat that could be exploited by insiders or attackers who have gained contributor-level access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-10660, organizations should immediately assess their use of the WP Dashboard Chat plugin and restrict Contributor-level access to trusted users only. If possible, temporarily disable or uninstall the plugin until a security patch is released. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter. Review and harden database permissions to limit the scope of data accessible by the WordPress application user. Monitor logs for unusual database query activity that may indicate exploitation attempts. Encourage plugin developers to adopt parameterized queries or prepared statements to prevent SQL injection. Regularly update WordPress core, plugins, and themes to incorporate security fixes. Additionally, conduct security awareness training for contributors to minimize the risk of insider threats. Organizations should also prepare incident response plans to quickly address any potential data breaches resulting from this vulnerability.