CVE-2025-14153 identifies a time-based SQL Injection vulnerability in the Page Expire Popup/Redirection plugin for WordPress, maintained by vikasratudi. The vulnerability exists in all versions up to and including 1.0 due to insufficient escaping and lack of prepared statements when processing the 'id' shortcode attribute. Authenticated users with Author-level or higher privileges can exploit this flaw by injecting additional SQL queries into existing database commands. This injection is time-based, allowing attackers to infer sensitive information from the database by measuring response delays. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The flaw specifically affects the confidentiality of data, as attackers can extract sensitive information, but it does not affect data integrity or availability. The CVSS 3.1 score of 6.5 reflects the network attack vector, low attack complexity, required privileges, and high confidentiality impact. No patches are currently linked, and no known exploits have been reported in the wild, indicating the need for proactive mitigation. The vulnerability stems from CWE-89, which involves improper neutralization of special elements in SQL commands, a common and critical web application security issue.

This vulnerability primarily threatens the confidentiality of data stored in WordPress databases using the affected plugin. Attackers with Author-level access can exploit the SQL Injection to extract sensitive information such as user credentials, personal data, or configuration details. While the vulnerability does not directly compromise data integrity or availability, the exposure of sensitive data can lead to further attacks, including privilege escalation or targeted phishing. Organizations relying on this plugin risk data breaches that can damage reputation, incur regulatory penalties, and disrupt business operations. Since the exploit requires authenticated access, the risk is somewhat mitigated by internal controls; however, compromised or malicious insiders pose a significant threat. The lack of known exploits in the wild suggests limited current exploitation but also highlights the importance of timely patching to prevent future attacks. The widespread use of WordPress globally means that many organizations, especially those with multi-author blogs or content management workflows, could be affected.

To mitigate this vulnerability, organizations should immediately upgrade the Page Expire Popup/Redirection plugin to a patched version once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing strict access controls to limit Author-level privileges to trusted users reduces the risk of exploitation. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'id' shortcode attribute can provide temporary protection. Additionally, auditing and monitoring database queries and logs for unusual activity may help detect exploitation attempts. Developers maintaining the plugin should refactor the code to use parameterized queries or prepared statements to properly sanitize user inputs. Regular security assessments and penetration testing focused on WordPress plugins can help identify similar vulnerabilities proactively. Finally, educating content authors about the risks of privilege misuse and enforcing strong authentication mechanisms will further reduce exposure.