CVE-2025-5563 is a medium-severity SQL Injection vulnerability affecting the WP-Addpub plugin for WordPress, specifically all versions up to and including 1.2.8. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89). The root cause is insufficient escaping of user-supplied input passed via the 'wp-addpub' shortcode parameter, combined with a lack of proper query preparation or parameterization in the plugin's code. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary SQL code into existing database queries. Exploiting this vulnerability, an attacker can append additional SQL statements to extract sensitive information from the WordPress database, such as user credentials, personal data, or site configuration details. The CVSS 3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality but not integrity or availability. No known exploits are currently reported in the wild, but the vulnerability's presence in a widely used WordPress plugin makes it a potential target for attackers seeking to escalate privileges or harvest sensitive data from compromised sites. The vulnerability affects all versions of WP-Addpub up to 1.2.8, and no official patch links are currently available, indicating that site administrators must monitor for updates or apply manual mitigations.

For European organizations using WordPress sites with the WP-Addpub plugin, this vulnerability poses a significant risk to the confidentiality of sensitive data stored in their databases. Attackers with Contributor-level access—which can sometimes be obtained through compromised accounts or weak credential policies—can exploit this flaw to extract user data, internal configuration, or other sensitive information. This can lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. Since WordPress powers a large portion of websites in Europe, including those of SMEs, public institutions, and e-commerce platforms, the impact can be widespread. The vulnerability does not directly affect data integrity or availability, but the confidentiality breach alone is critical given the strict data protection regulations in Europe. Additionally, attackers could leverage extracted data for further attacks such as phishing or lateral movement within organizational networks.

European organizations should immediately audit their WordPress installations to identify the presence of the WP-Addpub plugin and its version. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize unnecessary privileges. 2) Disable or remove the WP-Addpub plugin if it is not essential to site functionality. 3) Implement Web Application Firewall (WAF) rules that detect and block suspicious SQL injection patterns targeting the 'wp-addpub' shortcode parameters. 4) Employ database query logging and monitoring to detect anomalous queries that may indicate exploitation attempts. 5) Encourage plugin developers or internal teams to apply manual code fixes by properly escaping inputs or using prepared statements for SQL queries involving the shortcode parameters. 6) Regularly update WordPress core and plugins once a patch becomes available. 7) Conduct security awareness training for administrators and content contributors to recognize and report suspicious activities.