CVE-2025-11980 is a SQL Injection vulnerability identified in the Quick Featured Images plugin for WordPress, affecting all versions up to and including 13.7.3. The root cause is improper neutralization of special elements in SQL commands (CWE-89) within the 'delete_orphaned' function. Specifically, the plugin fails to sufficiently escape user-supplied parameters and does not properly prepare SQL statements, allowing an attacker with Editor-level privileges or higher to append arbitrary SQL queries. Exploitation requires the attacker to persuade an author-level or higher user to insert a malicious custom field value, which is then processed by the vulnerable function. This flaw enables unauthorized extraction of sensitive information from the WordPress database, compromising confidentiality. The vulnerability does not impact data integrity or availability. The CVSS v3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No public exploits are known at this time. The vulnerability highlights the risks of insufficient input validation and the dangers of privilege escalation within WordPress content management workflows.

For European organizations, this vulnerability poses a risk of sensitive data leakage from WordPress databases, potentially exposing user data, configuration details, or proprietary content. Organizations relying on WordPress for content management with multiple editors or authors are particularly vulnerable, as the attack requires authenticated users with elevated privileges. Data confidentiality breaches can lead to regulatory non-compliance under GDPR, reputational damage, and potential financial penalties. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive information can facilitate further attacks or social engineering. The risk is heightened in sectors with strict data protection requirements, such as finance, healthcare, and government. Additionally, organizations with public-facing WordPress sites are at risk of targeted attacks aiming to extract confidential information. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should prioritize updating the Quick Featured Images plugin to a patched version once available. Until a patch is released, implement strict input validation and sanitization on all custom field inputs, especially those accessible by authors and editors. Limit Editor and higher privileges to trusted users only and monitor their activities for suspicious behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the plugin's functions. Conduct regular security audits of WordPress plugins and user permissions. Consider disabling or removing the Quick Featured Images plugin if it is not essential. Additionally, implement database access controls to restrict the scope of data accessible by the WordPress application. Maintain comprehensive logging and alerting to detect potential exploitation attempts. Educate content authors and editors about the risks of inserting untrusted data into custom fields.