CVE-2025-10310

The Rich Snippet Site Report plugin for WordPress, in all versions up to and including 2.0.0105, is vulnerable to SQL injection via the 'last' parameter. The vulnerability arises from insufficient escaping on the user-supplied parameter and lack of prepared statements in the SQL query. This allows an attacker to inject arbitrary SQL statements.

An unauthenticated attacker can exploit this by sending a crafted HTTP request containing malicious SQL in the 'last' parameter. Additionally, the attack can be performed via Cross-Site Request Forgery (CSRF), tricking an authenticated user into triggering the injection. No special privileges or network access are required beyond typical web access.

Successful exploitation enables an attacker to append additional SQL queries to the existing query, potentially extracting sensitive information from the WordPress database, such as usernames, password hashes, or other confidential data.

The plugin was closed on October 14, 2025, due to this security issue, and is no longer available for download. Users should immediately remove the plugin from their WordPress installations. No patched version exists, so the only mitigation is to uninstall the plugin [1].