CVE-2025-7670 is a high-severity SQL Injection vulnerability affecting the JS Archive List plugin for WordPress, versions up to and including 6.1.5. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the build_sql_where() function. Specifically, the plugin fails to sufficiently escape user-supplied parameters and does not adequately prepare the SQL queries before execution. This flaw allows unauthenticated attackers to inject malicious SQL code into existing queries, enabling time-based SQL Injection attacks. Such attacks can be leveraged to extract sensitive information from the underlying database without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and does not require privileges (PR:N) or user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk, especially for websites relying on the JS Archive List plugin to manage archives. Given the widespread use of WordPress and the popularity of plugins, this vulnerability could be leveraged to access sensitive data such as user credentials, personal information, or other confidential content stored in the database.

For European organizations, this vulnerability poses a substantial risk to data confidentiality, particularly for businesses and institutions using WordPress sites with the JS Archive List plugin. Successful exploitation could lead to unauthorized data disclosure, potentially violating GDPR and other data protection regulations, resulting in legal and financial repercussions. The breach of sensitive customer or employee data could damage organizational reputation and trust. Additionally, the vulnerability could be exploited as a foothold for further attacks, such as lateral movement or data exfiltration. Since the attack requires no authentication, any public-facing WordPress site using the affected plugin is at risk, increasing the attack surface. This is especially critical for sectors like finance, healthcare, government, and e-commerce, where data sensitivity is high and regulatory compliance is strict.

European organizations should immediately audit their WordPress installations to identify the presence of the JS Archive List plugin and verify its version. If the plugin is installed, upgrading to a patched version once available is the primary mitigation step. In the absence of an official patch, organizations should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Web application firewalls (WAFs) should be configured to detect and block SQL Injection patterns targeting the vulnerable function. Implementing strict input validation and sanitization on all user inputs, especially those interacting with SQL queries, is critical. Organizations should also monitor database query logs for unusual or time-delayed queries indicative of time-based SQL Injection attempts. Regular backups and incident response plans should be updated to prepare for potential exploitation. Finally, developers maintaining custom WordPress plugins should review their code for similar SQL injection flaws and adopt parameterized queries or prepared statements to prevent such vulnerabilities.