Platform
wordpress
Component
wprecovery
Fixed in
2.5.4
CVE-2025-10726 describes a critical SQL Injection vulnerability affecting the WPRecovery plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and arbitrary file deletion. The vulnerability impacts versions 0.0.0 through 2.0 of the plugin, and a fix is available in version 2.5.4.
The SQL Injection vulnerability in WPRecovery allows attackers to manipulate database queries directly. An attacker could leverage this to extract sensitive information such as user credentials, customer data, or configuration details stored within the WordPress database. Furthermore, the vulnerability’s exploitation allows the attacker to use the unlink() function, enabling them to delete arbitrary files on the server, potentially disrupting the website's functionality or even compromising the entire system. This represents a significant risk, particularly for sites handling sensitive user data or critical business information.
This vulnerability was publicly disclosed on 2025-10-03. No known active exploitation campaigns have been reported at the time of writing, but the availability of a SQL Injection vulnerability in a widely used WordPress plugin presents a significant risk. The CVSS score of 9.1 (CRITICAL) underscores the severity of this vulnerability. No KEV listing is currently available.
Exploit Status
EPSS
0.19% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10726 is to immediately upgrade the WPRecovery plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider temporarily disabling the WPRecovery plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL Injection protection rules can provide an additional layer of defense. Regularly review WordPress plugin security best practices and ensure all plugins are from reputable sources.
Update the WPRecovery plugin to version 2.5.4 or higher to mitigate the (SQL Injection) vulnerability. Ensure that all user inputs are properly escaped and prepared in (SQL) queries to prevent the execution of malicious code. Review and strengthen the plugin's security measures to prevent future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10726 is a critical SQL Injection vulnerability in the WPRecovery WordPress plugin, allowing attackers to potentially extract data and delete files.
If you are using WPRecovery versions 0.0.0 through 2.0, you are affected by this vulnerability. Upgrade immediately.
Upgrade the WPRecovery plugin to version 2.5.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
No active exploitation campaigns have been reported, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the official WPRecovery plugin website or the WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.