CVE-2025-10730 identifies a SQL Injection vulnerability in the Wp tabber widget plugin for WordPress, specifically in the handling of the 'wp-tabber-widget' shortcode parameter. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), where user-supplied input is insufficiently escaped and the SQL queries are not properly prepared using parameterized statements. This flaw allows authenticated users with Contributor-level privileges or higher to append arbitrary SQL queries to existing database commands. Exploiting this vulnerability enables attackers to extract sensitive information from the WordPress database, such as user credentials, configuration data, or other confidential content, without requiring additional user interaction. The CVSS v3.1 base score is 6.5 (medium severity), reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and impacting confidentiality but not integrity or availability. The vulnerability affects all versions of the plugin up to and including 4.0. No public exploits have been reported yet, but the risk remains significant given the widespread use of WordPress and the commonality of this plugin. The vulnerability was published on October 15, 2025, with the initial reservation on September 19, 2025. The lack of patches at the time of reporting necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a risk to the confidentiality of sensitive data stored within WordPress databases, including customer information, internal documents, and authentication credentials. Exploitation could lead to unauthorized data disclosure, potentially resulting in regulatory non-compliance under GDPR and reputational damage. Since the vulnerability requires Contributor-level access, attackers might leverage compromised or weak user accounts to escalate their privileges and extract data. The absence of impact on integrity and availability reduces the risk of data tampering or service disruption but does not diminish the threat of data leakage. Organizations running WordPress sites with the affected plugin, especially those hosting critical or personal data, are at risk. The vulnerability could also be leveraged as a foothold for further attacks if attackers gain database information that aids lateral movement or privilege escalation. Given the medium severity and ease of exploitation, European entities should treat this as a priority vulnerability to address.

1. Immediately review and restrict Contributor-level and higher user permissions to trusted personnel only, minimizing the attack surface. 2. Monitor WordPress user accounts for suspicious activity, including unusual shortcode usage or database query patterns. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'wp-tabber-widget' shortcode parameter. 4. Regularly audit and sanitize all user inputs in WordPress plugins, especially those that interact with the database. 5. Backup WordPress databases frequently to enable recovery in case of compromise. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7. Consider temporarily disabling or removing the Wp tabber widget plugin if it is not essential to reduce exposure. 8. Employ database activity monitoring tools to detect anomalous queries indicative of injection attempts. 9. Educate site administrators and content contributors about the risks of privilege misuse and secure coding practices. 10. Conduct penetration testing focused on SQL injection vectors within WordPress environments to identify other potential weaknesses.