The Visualizer: Tables and Charts Manager for WordPress plugin suffers from an SQL Injection vulnerability (CVE-2025-12483) due to improper neutralization of special elements in SQL commands (CWE-89). Specifically, the 'query' parameter is not properly escaped or parameterized, allowing attackers with authenticated access at Contributor level or above to append arbitrary SQL commands to existing queries. This vulnerability enables attackers to extract sensitive information from the WordPress database without requiring administrator privileges in versions up to 3.11.12. The plugin's developers increased the minimum required privilege to administrator in version 3.11.13 and fully patched the issue in 3.11.14 by implementing proper input validation and prepared statements. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, and partial confidentiality impact without affecting integrity or availability. No public exploits have been reported, but the vulnerability poses a significant risk due to the common use of this plugin and the potential sensitivity of data stored in WordPress databases.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or business-critical data. Since exploitation requires authenticated access at Contributor level or higher (lowered to Administrator in later versions), the risk is elevated in environments where user roles are not tightly controlled. Attackers could leverage this flaw to perform data exfiltration, potentially leading to privacy violations, compliance breaches, and reputational damage. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have severe consequences. Organizations running affected versions of the plugin on publicly accessible WordPress sites are at risk, especially if they have multiple contributors or weak access controls.

1. Immediate upgrade to Visualizer plugin version 3.11.14 or later, which fully patches the vulnerability. 2. Restrict user roles and permissions to the minimum necessary, especially limiting Contributor and Administrator access to trusted users only. 3. Implement Web Application Firewall (WAF) rules that detect and block suspicious SQL injection patterns targeting the 'query' parameter. 4. Regularly audit WordPress user accounts and remove or downgrade unnecessary privileged accounts. 5. Monitor database access logs for unusual query patterns indicative of injection attempts. 6. Employ database activity monitoring tools to detect anomalous queries. 7. Educate site administrators and developers about secure coding practices, emphasizing the use of parameterized queries and input validation. 8. Consider isolating critical WordPress installations behind VPNs or IP whitelisting to reduce exposure.