CVE-2025-10730 identifies a SQL Injection vulnerability in the Wp tabber widget plugin for WordPress, present in all versions up to and including 4.0. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping of user-supplied input in the 'wp-tabber-widget' shortcode and the absence of prepared statements in the underlying SQL queries. This flaw enables authenticated users with Contributor-level permissions or higher to append arbitrary SQL commands to existing queries. The attack vector requires no user interaction beyond authentication, and the vulnerability is remotely exploitable over the network. Successful exploitation can result in unauthorized disclosure of sensitive information stored in the WordPress database, such as user data or site configuration details. However, the vulnerability does not allow modification or deletion of data (integrity) nor does it impact service availability. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and required privileges. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin in question. The lack of patch links indicates that a fix may not yet be available, underscoring the need for immediate mitigation steps.

For European organizations, this vulnerability poses a risk of unauthorized data disclosure from WordPress sites using the Wp tabber widget plugin. Sensitive information such as user credentials, personal data, or configuration details could be extracted by malicious insiders or compromised contributor accounts. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. Since the vulnerability requires contributor-level access, the threat is more pronounced in environments with large or loosely controlled content contributor bases. The impact is primarily on confidentiality; integrity and availability remain unaffected. Organizations relying on WordPress for public-facing or internal sites that use this plugin are at risk of data leakage, which could facilitate further attacks or data misuse. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could emerge rapidly once public disclosure occurs.

European organizations should immediately audit WordPress installations to identify the presence of the Wp tabber widget plugin and verify its version. Until a patch is released, restrict Contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'wp-tabber-widget' shortcode parameters. Monitor database query logs for unusual or unexpected queries that may indicate exploitation attempts. Encourage developers and administrators to apply secure coding practices, including the use of prepared statements and proper input validation, when maintaining or updating plugins. Stay alert for official patches or updates from the vendor and apply them promptly. Additionally, conduct regular security assessments and penetration tests focusing on WordPress plugins to identify similar vulnerabilities proactively.