CVE-2025-10740 identifies a SQL Injection vulnerability in the rupok98 URL Shortener Plugin for WordPress, present in all versions up to and including 3.0.7. The vulnerability stems from the verifyRequest function lacking proper capability checks, which means that authenticated users with Subscriber-level privileges or higher can access API functionality that should be restricted. This improper neutralization of special elements in SQL commands (CWE-89) allows these users to inject malicious SQL code, potentially modifying shortened URLs managed by the plugin. Since Subscribers typically have limited permissions, this vulnerability significantly lowers the bar for exploitation compared to requiring administrator access. The attack vector is remote over the network (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability of the WordPress site’s URL data, potentially redirecting users to malicious sites or disrupting service. Although no public exploits are known yet, the lack of patches and the plugin’s widespread use in WordPress ecosystems make this a notable risk. The vulnerability was reserved in September 2025 and published in October 2025, with no patch links currently available. Organizations relying on this plugin should monitor for updates and consider mitigating controls immediately.

The vulnerability allows low-privileged authenticated users to perform SQL Injection attacks, enabling unauthorized modification of URL links managed by the plugin. This can lead to redirection of legitimate traffic to malicious sites, data integrity compromise, and potential denial of service if URLs are corrupted or deleted. Confidentiality is impacted as attackers may access or manipulate sensitive URL data. Integrity is compromised through unauthorized changes to URL mappings, undermining trust in the website’s content. Availability could be affected if the plugin or site functionality is disrupted by malformed database queries or corrupted data. For organizations, this can result in reputational damage, loss of user trust, and potential downstream impacts such as phishing or malware distribution. The medium CVSS score reflects a moderate but significant risk, especially given the low privilege required to exploit and the widespread use of WordPress and its plugins globally.

1. Immediately audit user roles and permissions on WordPress sites using the rupok98 URL Shortener Plugin, restricting Subscriber-level users from unnecessary access where possible. 2. Disable or uninstall the plugin temporarily if it is not critical to operations until a patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the plugin’s API endpoints. 4. Monitor logs for unusual API activity or unexpected changes to shortened URLs. 5. Keep WordPress core and all plugins updated; watch for official patches from the plugin vendor and apply them promptly once available. 6. Consider employing principle of least privilege for all authenticated users to minimize risk exposure. 7. Conduct regular security assessments focusing on plugin vulnerabilities and access control weaknesses. 8. Educate site administrators about the risks of low-privileged user exploitation and encourage strong password policies to prevent account compromise.