CVE-2025-4840 is a high-severity SQL Injection vulnerability found in the WordPress plugin 'inprosysmedia-likes-dislikes-post' version 1.0.0 and earlier. This plugin fails to properly sanitize and escape user-supplied input before incorporating it into SQL queries executed via an AJAX action. Critically, this AJAX endpoint is accessible to unauthenticated users, meaning that any remote attacker can exploit this flaw without needing valid credentials or user interaction. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in an SQL command. Exploiting this vulnerability allows an attacker to inject malicious SQL code, potentially enabling unauthorized data access or manipulation. According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the attack can be launched remotely over the network with low complexity, no privileges, and no user interaction required. The impact is primarily on confidentiality, allowing attackers to read sensitive data from the database, but it does not affect integrity or availability directly. No patches or fixes have been published yet, and no known exploits are currently observed in the wild. The vulnerability was reserved in May 2025 and published in June 2025, indicating it is a recent discovery. Given the plugin’s nature as a WordPress extension, it is likely used by websites to manage user feedback through likes and dislikes, making affected sites vulnerable to data breaches and potential reputational damage.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites that utilize the 'inprosysmedia-likes-dislikes-post' plugin. Exploitation could lead to unauthorized disclosure of sensitive information stored in the backend database, including user data, content management details, or other confidential business information. This breach of confidentiality could result in GDPR violations, leading to substantial fines and legal consequences. Additionally, the presence of an exploitable SQL injection could be leveraged as a foothold for further attacks, such as pivoting into internal networks or escalating privileges if combined with other vulnerabilities. The fact that exploitation requires no authentication or user interaction increases the risk of automated mass scanning and exploitation attempts. Organizations in sectors such as e-commerce, media, and public services, which often use WordPress extensively, may face operational disruptions and damage to customer trust. The lack of a patch at this time necessitates immediate attention to prevent exploitation.

European organizations should take immediate steps to mitigate this vulnerability. First, identify and inventory all WordPress installations using the 'inprosysmedia-likes-dislikes-post' plugin. Until an official patch is released, disable or uninstall the plugin to eliminate the attack surface. If disabling the plugin is not feasible, implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the vulnerable endpoint, focusing on anomalous SQL syntax or injection patterns. Employ strict input validation and sanitization at the application level if custom modifications are possible. Monitor web server and application logs for unusual activity indicative of exploitation attempts. Additionally, ensure that database accounts used by WordPress have the least privileges necessary to limit the impact of a successful injection. Regularly back up website data and databases to enable recovery in case of compromise. Stay informed about updates from the plugin developers or WordPress security advisories to apply patches promptly once available.