CVE-2025-10175 PoC — WP Links Page <= 4.9.6 - Authenticated (Subscriber+) SQL Injection

Source

https://github.com/MooseLoveti/WP-Links-Page-CVE-Report

Associated Vulnerability

Title:WP Links Page <= 4.9.6 - Authenticated (Subscriber+) SQL Injection (CVE-2025-10175)
Description:The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Description

Disclosure for CVE-2025-10175

Readme

# WP-Links-Page-CVE-Report
Disclosure for CVE-2025-10175

# CVE-2025-10175 - Vulnerability in WP Links Page

This repository discloses a vulnerability discovered in [WP Links Page <= 4.9.6](https://wordpress.org/plugins/wp-links-page/),WordPress plugin developed by Rico Macchi.

## 🛠 Affected Version

- **Product**: WP Links Page
- **Version**: v4.9.6
- **URL**: https://wordpress.org/plugins/wp-links-page/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-10175    | Authenticated (Subscriber+) SQL Injection                | wp-links-page/wp-links-page-free.php             | Unauthorized database access and data exfiltration.     |  

---

## 🧾 Detailed a Description

### CVE-2025-10175 — Unauthorized Database Access And Data Exfiltration

 - **Affected Component**: wplf_update_from_previous() ($wpdb->get_results("SELECT * FROM $table WHERE id = $id ..."))
 - **Attack Vector**: Authenticated (nonce required) AJAX-based Blind SQL Injection (id parameter)
 - **Trigger**: By sending a crafted request with a valid nonce to /wp-admin/admin-ajax.php, a time delay can be observed:
```
POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded

action=wplf_update_from_previous&nonce=<valid_nonce>&id=1 AND SLEEP(5)

```
 - **Impact**: Attackers can gradually extract database contents (user accounts, emails, configuration values) and obtain administrator password hashes, leading to privilege escalation. Disclosure of schema information and record counts weakens confidentiality and facilitates subsequent targeted attacks against the entire WordPress installation.
 - **PoC**:
  1. An authenticated user sends a POST request to /wp-admin/admin-ajax.php with a valid nonce.
  2. The id parameter is injected with a time-based payload such as 1 AND SLEEP(5).
  3. The server response is delayed, confirming the presence of Blind SQL Injection.

## ❓Reason for the vulnerability
 The id parameter is taken directly from $_REQUEST and only passed through sanitize_text_field(), which does not prevent SQL injection. The value is then concatenated directly into the SQL query without prepared statements or proper parameter binding.
 
 ### Proposed Fix:
 Use $wpdb->prepare()
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/wp-links-page/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.

File Snapshot


 [4.0K]  /data/pocs/e58e845ea418c6257a5e14b3213617b5a6e4c3db
└── [2.7K]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!