CVE-2025-28967 is a high-severity SQL Injection vulnerability (CWE-89) affecting the 'Contact Us page - Contact people LITE' plugin developed by Steve Truman, up to version 3.7.4. The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with at least low privileges (PR:L) and no user interaction (UI:N) to inject malicious SQL code remotely over the network (AV:N). The vulnerability has a CVSS v3.1 base score of 8.5, indicating a significant risk. The scope is changed (S:C), meaning the vulnerability can impact resources beyond the initially vulnerable component. The impact vector shows high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This suggests that an attacker can extract sensitive data from the backend database without modifying or deleting data but may cause minor service disruptions. The vulnerability is exploitable remotely without user interaction but requires some level of privileges, possibly an authenticated user or a user with limited access. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability specifically targets the SQL query handling in the Contact Us page plugin, which is commonly used in web applications to manage user inquiries and contact information. Exploitation could lead to unauthorized disclosure of sensitive data stored in the database, such as user contact details or internal configuration data, posing a significant privacy and security risk.

For European organizations, this vulnerability poses a substantial threat, especially for those using the affected plugin on their websites or intranet portals. The high confidentiality impact means that sensitive personal data protected under GDPR could be exposed, leading to regulatory penalties and reputational damage. The low availability impact suggests limited disruption to services, but data leakage could facilitate further attacks or fraud. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal data, are particularly at risk. Additionally, the vulnerability could be leveraged by attackers to perform reconnaissance or escalate privileges within the network. The requirement for some level of privileges reduces the risk of mass exploitation but does not eliminate it, as attackers may gain initial access through other means. The lack of a patch increases the urgency for mitigation. Given the interconnected nature of European digital infrastructure, exploitation in one organization could have cascading effects, including data breaches affecting partners or clients.

European organizations should immediately audit their web applications to identify installations of the 'Contact Us page - Contact people LITE' plugin, particularly versions up to 3.7.4. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the Contact Us page to trusted users or IP ranges to limit exposure. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this plugin. 3) Conduct code reviews and apply manual input validation and parameterized queries if possible to sanitize inputs on the Contact Us page. 4) Monitor logs for unusual database queries or error messages indicative of injection attempts. 5) Enforce the principle of least privilege on database accounts used by the plugin to minimize data exposure. 6) Prepare incident response plans for potential data breaches involving this vulnerability. 7) Engage with the vendor or community to track patch releases and apply updates promptly once available. 8) Consider temporary removal or disabling of the plugin if it is not critical to operations.