CVE-2025-10726

CVE-2025-10726 is a SQL injection vulnerability in the WPRecovery plugin for WordPress, affecting all versions up to and including 2.0. The flaw arises from insufficient escaping of the user-supplied 'data[id]' parameter and inadequate preparation of the underlying SQL query, allowing attackers to append malicious SQL payloads. This vulnerability, classified under CWE-89, has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its critical impact on integrity and availability despite no direct confidentiality loss.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By injecting additional SQL queries via the 'data[id]' parameter, they can extract sensitive information from the database. Furthermore, the SQL injection output is directly fed into PHP's unlink() function, enabling attackers to delete arbitrary files on the server by injecting file paths through the manipulated query.

Advisories and related resources, including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/15880d3b-87de-4b59-878c-e36e73c45e8a?source=cve) and code references in the plugin's SVN and Trac repositories (e.g., https://plugins.svn.wordpress.org/wprecovery/trunk/delete_backup.php, https://plugins.trac.wordpress.org/browser/wprecovery/tags/2.0/index.php#L166), detail the vulnerable code paths in files like delete_backup.php and index.php. Security practitioners should review these for precise mitigation steps, such as updating the plugin if patches become available or implementing input validation and prepared statements.