CVE-2025-10726 is a critical SQL Injection vulnerability identified in the WPRecovery plugin for WordPress, developed by quantumrose. The vulnerability exists in all versions up to and including 2.0 and is caused by improper neutralization of special elements in the 'data[id]' parameter. Specifically, the plugin fails to properly escape or prepare this user-supplied input before incorporating it into SQL queries. This allows unauthenticated attackers to append arbitrary SQL commands to existing queries, enabling extraction of sensitive database information. Furthermore, the results of the injected SQL query are passed directly to PHP's unlink() function, which is used to delete files on the server. This chaining of vulnerabilities allows attackers to delete arbitrary files by injecting file paths through the SQL injection vector, potentially leading to denial of service or further compromise. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 9.1 (critical), reflecting the high impact on integrity and availability, with network attack vector, low attack complexity, and no privileges required. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the published date. The vulnerability was reserved on 2025-09-19 and published on 2025-10-03.

The impact of CVE-2025-10726 is severe for organizations using the WPRecovery plugin. Attackers can extract sensitive data from the WordPress database, potentially exposing user credentials, personal information, or other confidential data. The ability to delete arbitrary files on the server via the unlink() function can lead to disruption of website functionality, data loss, or even full site compromise if critical files are removed. This could result in significant downtime, reputational damage, and financial loss. Since the vulnerability requires no authentication and can be exploited remotely, it poses a high risk to any exposed WordPress installations using this plugin. The widespread use of WordPress globally means that many organizations, from small businesses to large enterprises, could be affected. The lack of known exploits in the wild currently provides a window for remediation, but the ease of exploitation and critical severity score suggest attackers may develop exploits rapidly.

Immediate mitigation steps include disabling or uninstalling the WPRecovery plugin until a secure patch is released by quantumrose. Organizations should monitor official vendor channels for updates or security advisories. As a temporary workaround, web application firewalls (WAFs) can be configured to detect and block suspicious SQL injection patterns targeting the 'data[id]' parameter. Implementing strict input validation and sanitization at the application level can reduce risk. Restricting file system permissions to limit PHP's unlink() function from deleting critical files can mitigate the impact of arbitrary file deletion. Regular backups of website data and files should be maintained to enable recovery in case of an attack. Network segmentation and limiting administrative access to WordPress installations can further reduce exposure. Security teams should conduct thorough audits of WordPress plugins and remove any unnecessary or untrusted components.