CVE-2025-3951 is a medium-severity SQL Injection vulnerability identified in the WP-Optimize WordPress plugin versions prior to 4.2.0. The vulnerability arises because the plugin does not properly sanitize or escape user-supplied input when verifying image compression statuses, specifically within Multi-Site WordPress configurations. This flaw allows users with administrator privileges to inject malicious SQL code into database queries. Although exploitation requires administrator-level access, the vulnerability's impact is significant due to the potential for attackers to manipulate database queries, potentially leading to unauthorized data disclosure or modification within the affected WordPress multisite environment. The vulnerability is classified under CWE-89, which pertains to improper neutralization of special elements used in SQL commands. The CVSS v3.1 base score is 4.1, indicating a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), scope changed (S:C), low confidentiality impact (C:L), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability was reserved in late April 2025 and published in early June 2025.

For European organizations using WordPress multisite installations with the WP-Optimize plugin, this vulnerability poses a risk primarily when an attacker has already obtained administrator-level access. Given that multisite WordPress setups are common in large enterprises, educational institutions, and media companies, exploitation could allow attackers to execute unauthorized SQL commands, potentially leading to unauthorized access to sensitive data or disruption of database operations. While the direct impact on confidentiality is rated low, the altered scope and potential for data manipulation could have cascading effects on data integrity and trustworthiness of the affected systems. Since the vulnerability requires high privileges, the risk is somewhat mitigated by existing access controls; however, insider threats or compromised administrator accounts could leverage this flaw. European organizations with strict data protection regulations, such as GDPR, may face compliance risks if sensitive personal data is exposed or altered due to exploitation. Additionally, the multisite context increases the potential blast radius, as multiple sites could be affected simultaneously.

To mitigate this vulnerability, European organizations should prioritize upgrading the WP-Optimize plugin to version 4.2.0 or later as soon as it becomes available, as this version addresses the input sanitization issue. Until an official patch is released, organizations should restrict administrator access strictly to trusted personnel and implement robust monitoring of administrator activities and database queries for unusual patterns. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection attempts targeting the plugin's image compression status checks can provide an additional layer of defense. Regular security audits of WordPress multisite configurations and plugins should be conducted to identify and remediate similar vulnerabilities proactively. Furthermore, enforcing multi-factor authentication (MFA) for administrator accounts reduces the risk of credential compromise, thereby limiting the potential for exploitation. Backup strategies should be reviewed and tested to ensure rapid recovery in case of data manipulation or corruption.