CVE-2025-10740 is an SQL Injection vulnerability classified under CWE-89 found in the rupok98 URL Shortener Plugin for WordPress. The vulnerability stems from a missing capability check in the verifyRequest function of the plugin's API, which is present in all versions up to and including 3.0.7. This flaw allows authenticated users with Subscriber-level privileges or higher to perform unauthorized modifications to shortened URLs managed by the plugin. The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS 3.1 base score is 6.3, reflecting a medium severity level with potential impacts on confidentiality, integrity, and availability. Specifically, an attacker could manipulate link destinations, potentially redirecting users to malicious sites, disrupting service, or leaking sensitive information. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The lack of a patch at the time of reporting increases the urgency for mitigation through access control and monitoring. The vulnerability highlights the importance of proper capability checks in API functions to prevent privilege escalation and unauthorized actions within WordPress plugins.

For European organizations, this vulnerability can lead to unauthorized modification of URL redirects, which may result in phishing attacks, malware distribution, or disruption of legitimate web traffic. The integrity of web content is compromised, potentially damaging brand reputation and user trust. Confidentiality may be affected if attackers leverage the vulnerability to access or manipulate sensitive link data. Availability could be impacted if attackers disrupt URL shortening services, affecting business operations reliant on these links. Organizations in sectors such as e-commerce, media, and public services that use WordPress extensively are particularly at risk. Given the medium severity and the requirement for authenticated access, insider threats or compromised low-privilege accounts pose a notable risk vector. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in politically or economically sensitive environments within Europe.

1. Immediately restrict Subscriber-level and other low-privilege user access to the URL Shortener Plugin functionality by adjusting WordPress user roles and capabilities. 2. Monitor and audit API usage logs for unusual link modification activities, focusing on authenticated users with Subscriber or higher privileges. 3. Implement web application firewalls (WAF) with rules to detect and block SQL injection attempts targeting the plugin's API endpoints. 4. Apply principle of least privilege by limiting plugin access only to trusted users and administrators. 5. Regularly update WordPress core and plugins; monitor rupok98 plugin updates for patches addressing this vulnerability and apply them promptly once released. 6. Consider temporarily disabling the URL Shortener Plugin if it is not critical to business operations until a patch is available. 7. Educate users and administrators about the risks of low-privilege account compromise and enforce strong authentication mechanisms, including MFA where possible. 8. Conduct internal penetration testing focusing on WordPress plugins to identify similar capability check issues proactively.