Plateforme
wordpress
Composant
wprecovery
Corrigé dans
2.5.4
CVE-2025-10726 describes a critical SQL Injection vulnerability affecting the WPRecovery plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and arbitrary file deletion. The vulnerability impacts versions 0.0.0 through 2.0 of the plugin, and a fix is available in version 2.5.4.
The SQL Injection vulnerability in WPRecovery allows attackers to manipulate database queries directly. An attacker could leverage this to extract sensitive information such as user credentials, customer data, or configuration details stored within the WordPress database. Furthermore, the vulnerability’s exploitation allows the attacker to use the unlink() function, enabling them to delete arbitrary files on the server, potentially disrupting the website's functionality or even compromising the entire system. This represents a significant risk, particularly for sites handling sensitive user data or critical business information.
This vulnerability was publicly disclosed on 2025-10-03. No known active exploitation campaigns have been reported at the time of writing, but the availability of a SQL Injection vulnerability in a widely used WordPress plugin presents a significant risk. The CVSS score of 9.1 (CRITICAL) underscores the severity of this vulnerability. No KEV listing is currently available.
WordPress websites utilizing the WPRecovery plugin, particularly those handling sensitive user data or operating in environments with limited security controls, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also particularly vulnerable if they haven't applied the update.
• wordpress / composer / npm:
grep -r "data[id]" /var/www/html/wp-content/plugins/wp-recovery/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-recovery/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep wp-recoverydisclosure
Statut de l'Exploit
EPSS
0.19% (percentile 40%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-10726 is to immediately upgrade the WPRecovery plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider temporarily disabling the WPRecovery plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL Injection protection rules can provide an additional layer of defense. Regularly review WordPress plugin security best practices and ensure all plugins are from reputable sources.
Actualice el plugin WPRecovery a la versión 2.5.4 o superior para mitigar la vulnerabilidad de inyección SQL. Asegúrese de que todas las entradas del usuario estén correctamente escapadas y preparadas en las consultas SQL para prevenir la ejecución de código malicioso. Revise y fortalezca las medidas de seguridad del plugin para evitar futuras vulnerabilidades.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-10726 is a critical SQL Injection vulnerability in the WPRecovery WordPress plugin, allowing attackers to potentially extract data and delete files.
If you are using WPRecovery versions 0.0.0 through 2.0, you are affected by this vulnerability. Upgrade immediately.
Upgrade the WPRecovery plugin to version 2.5.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
No active exploitation campaigns have been reported, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the official WPRecovery plugin website or the WordPress plugin repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.