CVE-2025-7662 identifies a SQL Injection vulnerability in the evigeo Gestion de tarifs plugin for WordPress, present in all versions up to and including 1.4. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping and lack of prepared statements on user-supplied parameters within the 'tarif' and 'intitule' shortcodes. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting additional SQL queries appended to existing queries, enabling unauthorized extraction of sensitive information from the backend database. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 6.5, reflecting a medium severity with high confidentiality impact but no impact on integrity or availability. No patches or known exploits are currently reported, but the vulnerability's presence in all plugin versions indicates a widespread exposure risk for sites using this plugin. The root cause is the failure to properly sanitize and prepare SQL queries, which is a common and critical security oversight in web applications. This vulnerability highlights the need for secure coding practices such as parameterized queries and rigorous input validation in WordPress plugin development.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress site's database, including potentially user information, configuration data, or other confidential content managed by the plugin. Since the vulnerability requires authenticated access at Contributor level or above, attackers must first compromise or have legitimate access to an account with these privileges, which limits the attack surface but does not eliminate risk. Exploitation could lead to data breaches, loss of customer trust, and regulatory compliance issues for organizations handling sensitive data. Although integrity and availability are not directly affected, the exposure of confidential information can have severe reputational and operational consequences. Organizations running WordPress sites with this plugin are at risk of targeted attacks, especially if they have weak account management or privilege escalation vulnerabilities. The lack of known exploits in the wild suggests the vulnerability is not yet widely weaponized, but the ease of exploitation and network accessibility make it a significant threat if left unaddressed.

To mitigate this vulnerability, organizations should immediately upgrade the evigeo Gestion de tarifs plugin to a version that addresses this issue once available. In the absence of an official patch, administrators should consider disabling the plugin or restricting access to users with Contributor-level privileges and above. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'tarif' and 'intitule' shortcode parameters can provide temporary protection. Site owners should audit user roles and permissions to minimize the number of users with Contributor or higher privileges, enforcing the principle of least privilege. Additionally, reviewing and hardening authentication mechanisms, such as enabling multi-factor authentication (MFA), can reduce the risk of account compromise. Developers maintaining the plugin should refactor the code to use parameterized queries or prepared statements and apply rigorous input validation and escaping to all user-supplied data. Regular security assessments and monitoring for unusual database queries can help detect exploitation attempts early.