CVE-2025-2074 identifies a SQL Injection vulnerability in the Advanced Google reCAPTCHA plugin for WordPress, maintained by webfactory. The flaw exists in all versions up to and including 1.29 due to improper neutralization of special elements in SQL commands, specifically through the 'sSearch' parameter. This parameter is insufficiently escaped and the SQL queries are not properly prepared, allowing an authenticated attacker with Subscriber-level privileges or higher to append arbitrary SQL commands. The attack surface is limited to scenarios where the plugin’s settings page has not been accessed and the welcome message has not been dismissed, conditions that affect the plugin’s internal state and query construction. Exploiting this vulnerability enables attackers to extract sensitive information from the underlying database, compromising confidentiality without affecting integrity or availability. The vulnerability requires no user interaction but does require authentication at a low privilege level. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network exploitation with high attack complexity and partial confidentiality impact. No patches or known exploits are currently documented, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability is classified under CWE-89, a common and critical injection flaw category.

The primary impact of CVE-2025-2074 is unauthorized disclosure of sensitive data from the WordPress database, which may include user credentials, personal information, or site configuration details. Since the vulnerability requires only Subscriber-level access, an attacker who gains minimal privileges—potentially through compromised accounts or weak registration controls—can leverage this flaw to escalate their knowledge of the system. This can facilitate further attacks such as privilege escalation, targeted phishing, or data exfiltration. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can have serious consequences including regulatory non-compliance, reputational damage, and loss of user trust. Organizations running WordPress sites with this plugin, especially those handling sensitive or regulated data, face increased risk. The requirement that the plugin’s settings page remains unvisited may limit exposure but also suggests that less-maintained or less-monitored sites are more vulnerable. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate future risk.

To mitigate CVE-2025-2074, organizations should immediately verify if they are running the Advanced Google reCAPTCHA plugin version 1.29 or earlier and upgrade to a patched version once released by webfactory. In the absence of an official patch, administrators should consider temporarily disabling the plugin or restricting access to the WordPress dashboard to trusted users only. Additionally, dismissing the plugin’s welcome message and visiting the settings page may alter the plugin state to prevent exploitation, serving as a temporary workaround. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'sSearch' parameter can provide additional protection. Monitoring user accounts for unusual Subscriber-level activity and enforcing strong authentication controls will reduce the risk of attacker access. Regularly auditing plugin usage and applying the principle of least privilege to WordPress roles will further limit exposure. Finally, maintaining comprehensive backups and monitoring logs for anomalous database queries can aid in early detection and recovery.