CVE-2025-10175

Vulnerability

Analysis

The WP Links Page plugin for WordPress, in all versions up to and including 4.9.6, contains a SQL injection vulnerability in the handling of the id parameter. The lack of proper escaping on user-supplied input and insufficient preparation of SQL queries allows an attacker to inject malicious SQL code [1]. This flaw is present in the plugin's core functionality, as evidenced by the source code from the plugin's SVN repository [1].

Attack

Vector

An attacker must be authenticated with at least Subscriber-level access to exploit this vulnerability. The id parameter is passed unsafely into an existing SQL query, enabling the injection of additional SQL statements. No elevated privileges are required beyond Subscriber, making it a low-barrier attack vector for authenticated users [2].

Impact

Successful exploitation allows the attacker to append arbitrary SQL queries to the original query, potentially extracting sensitive information from the WordPress database, such as usernames, password hashes, and other confidential data. This could compromise the entire site's user data [2].

Mitigation

The vendor has not released a patched version at the time of publication. Users are advised to update the plugin to the latest available version (4.9.7 or higher) if a security fix becomes available, or to restrict Subscriber-level access and consider alternative plugins [2].