CVE-2025-2128 identifies a time-based SQL Injection vulnerability in the Cost Calculator Builder WordPress plugin developed by stylemix. The flaw exists in all plugin versions up to and including 3.2.67 due to improper neutralization of special elements in the 'order_ids' parameter. Specifically, the plugin fails to sufficiently escape user-supplied input and does not use prepared statements or parameterized queries, allowing attackers to inject arbitrary SQL code. Exploitation requires authentication at Subscriber level or higher, which is a relatively low privilege level in WordPress, making the attack vector accessible to many users. The vulnerability enables attackers to append additional SQL queries to existing ones, facilitating the extraction of sensitive data from the backend database through time-based blind SQL Injection techniques. This type of attack infers data by measuring response delays, thus not requiring direct error messages or visible output. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is widely used in WordPress environments, which are prevalent globally, especially in small to medium business websites that rely on cost estimation tools. The lack of a patch link indicates that a fix may not yet be available, increasing urgency for mitigation.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress site's database, such as user data, configuration details, or business-critical information managed by the Cost Calculator Builder plugin. Since the attack requires only Subscriber-level access, which is commonly granted to registered users or customers, the attack surface is broad. Confidentiality breaches can lead to data leakage, privacy violations, and potential compliance issues under regulations like GDPR or CCPA. Although the vulnerability does not affect data integrity or availability, the exposure of sensitive data can facilitate further attacks, including privilege escalation, phishing, or targeted exploitation of other vulnerabilities. Organizations running WordPress sites with this plugin installed are at risk of data compromise, reputational damage, and potential financial loss. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge following disclosure.

1. Immediately upgrade the Cost Calculator Builder plugin to a patched version once available from the vendor. Monitor stylemix official channels for updates. 2. Until a patch is released, restrict or review user roles and permissions to limit Subscriber-level access where possible, reducing the number of users who can exploit the vulnerability. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL Injection patterns targeting the 'order_ids' parameter, focusing on time-based injection signatures. 4. Apply input validation and sanitization at the application level by customizing or hardening the plugin code to enforce strict type and format checks on 'order_ids'. 5. Use database query parameterization or prepared statements if modifying the plugin code is feasible, to prevent injection. 6. Conduct regular security audits and monitoring of database query logs to detect anomalous queries indicative of exploitation attempts. 7. Educate site administrators and users about the risks of elevated privileges and enforce strong authentication mechanisms to reduce account compromise likelihood. 8. Backup databases regularly to ensure recovery in case of data compromise.