CVE-2025-10730 identifies a SQL Injection vulnerability in the Wp tabber widget plugin for WordPress, affecting all versions up to and including 4.0. The vulnerability arises from insufficient escaping of user-supplied input passed via the 'wp-tabber-widget' shortcode and the absence of prepared SQL statements, allowing an attacker with Contributor-level privileges or higher to append arbitrary SQL queries to existing database commands. This improper neutralization of special elements in SQL commands (CWE-89) enables extraction of sensitive information from the backend database, such as user data or site configuration details. The attack vector requires authenticated access, but no additional user interaction is necessary. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and partial privileges required. The vulnerability does not affect data integrity or availability but compromises confidentiality. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on October 15, 2025, with Wordfence as the assigner. The plugin is widely used in WordPress environments, making this a relevant threat to many websites that allow Contributor-level user roles and utilize this widget for content display.

The primary impact of CVE-2025-10730 is unauthorized disclosure of sensitive information stored in the WordPress site's database. Attackers with Contributor-level access can exploit the SQL Injection flaw to extract data such as user credentials, personal information, or site configuration details, potentially leading to further attacks or privacy violations. Although the vulnerability does not allow modification or deletion of data (integrity) or cause denial of service (availability), the confidentiality breach can have serious consequences, including compliance violations and reputational damage. Organizations running WordPress sites with this plugin and Contributor-level users are at risk globally. The ease of exploitation is moderate since authentication is required, but the low attack complexity and network accessibility increase the threat. The scope includes all sites using the vulnerable plugin versions, which may be significant given WordPress's market share. The absence of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation.

To mitigate CVE-2025-10730, organizations should immediately review and restrict Contributor-level user permissions, limiting the number of users with such access to trusted personnel only. Implement strict input validation and sanitization on all shortcode parameters, especially those processed by the Wp tabber widget. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the shortcode parameter. Monitor logs for unusual database query patterns or access attempts by Contributor users. Since no official patch is currently available, consider temporarily disabling the Wp tabber widget plugin or replacing it with a secure alternative until a fix is released. Engage with the plugin vendor or community to track patch availability and apply updates promptly once released. Additionally, conduct regular security audits and penetration testing focused on WordPress plugins to identify similar vulnerabilities proactively.