CVE-2025-11980 is an SQL Injection vulnerability identified in the Quick Featured Images plugin for WordPress, affecting all versions up to and including 13.7.3. The root cause is insufficient escaping and lack of prepared statements in the 'delete_orphaned' function when processing user-supplied parameters. This flaw allows authenticated attackers with Editor-level privileges or higher to append arbitrary SQL commands to existing queries. However, exploitation requires social engineering to convince an author-level or higher user to insert a malicious custom field value, which then triggers the injection. The vulnerability primarily impacts confidentiality by enabling unauthorized data extraction from the WordPress database. The CVSS 3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to confidentiality. No known exploits have been reported in the wild, and no patches are currently available. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, which may include user data, credentials, or site configuration details. While the vulnerability does not directly affect data integrity or availability, the exposure of confidential data can lead to further attacks such as privilege escalation, identity theft, or targeted phishing. Organizations running WordPress sites with the affected plugin and granting Editor or higher privileges to multiple users face increased risk. Attackers exploiting this flaw could gain insights into the internal database structure, potentially facilitating more advanced attacks. The requirement for social engineering to trigger the injection limits the attack scope but does not eliminate the risk, especially in environments with many users or less stringent access controls.

To mitigate this vulnerability, organizations should immediately review and restrict Editor-level and higher privileges to trusted users only, minimizing the attack surface. Implement strict input validation and sanitization on all custom field inputs, especially those that can influence database queries. Monitor and audit changes to custom fields for suspicious or unexpected values. Employ Web Application Firewalls (WAFs) with SQL Injection detection rules tailored to WordPress plugins. Since no official patch is currently available, consider temporarily disabling or replacing the Quick Featured Images plugin if feasible. Stay informed about vendor updates and apply patches promptly once released. Additionally, educate users with author-level or higher privileges about the risks of adding untrusted custom field data. Regularly back up WordPress databases and site files to enable recovery in case of compromise.