CVE-2025-5287 identifies a SQL Injection vulnerability in the erumfaham Likes and Dislikes Plugin for WordPress, affecting all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of special elements in the 'post' parameter, which is used in SQL queries without sufficient escaping or parameterization. This allows unauthenticated attackers to append arbitrary SQL commands to legitimate queries, potentially extracting sensitive data from the underlying database. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive information, but it does not affect integrity or availability. No patches or official fixes have been released at the time of publication, and no known exploits have been observed in the wild. The plugin’s widespread use in WordPress sites makes this a critical issue for website owners and administrators. The vulnerability is classified under CWE-89, which covers improper neutralization of special elements used in SQL commands.

The primary impact of CVE-2025-5287 is unauthorized disclosure of sensitive information stored in the database of affected WordPress sites using the erumfaham Likes and Dislikes Plugin. Attackers can exploit this vulnerability remotely without authentication, enabling data exfiltration such as user credentials, personal data, or other confidential content. This can lead to privacy violations, regulatory non-compliance, and reputational damage. Although the vulnerability does not directly allow modification or deletion of data, the exposure of sensitive information can facilitate further attacks, including account takeover or lateral movement within the network. Organizations relying on WordPress sites with this plugin are at risk of data breaches, especially if the database contains critical business or user data. The ease of exploitation and lack of required privileges increase the likelihood of attacks, making this a significant threat to website security worldwide.

To mitigate CVE-2025-5287, organizations should immediately assess whether they use the erumfaham Likes and Dislikes Plugin and identify affected versions. Since no official patch is currently available, temporary mitigations include disabling or removing the plugin to eliminate the attack surface. Web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting the 'post' parameter. Developers and site administrators should implement strict input validation and sanitization on all user-supplied parameters, especially those used in SQL queries. Refactoring the plugin code to use parameterized queries or prepared statements will prevent injection attacks. Monitoring database query logs for unusual or malformed queries can help detect exploitation attempts. Regular backups and incident response plans should be in place to recover from potential breaches. Once an official patch is released, prompt application is critical to fully remediate the vulnerability.