CVE-2025-10002
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| clickwhale | link_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL Injection in the ClickWhale WordPress plugin (versions up to 2.5.0) affecting the export_csv() function. It occurs because user-supplied parameters are not properly escaped or prepared before being included in SQL queries. This allows authenticated users with Administrator-level access or higher to append malicious SQL code to existing queries, potentially extracting sensitive data from the database. Lower level users might also exploit it if they have access to the plugin.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with sufficient access to extract sensitive information from the website's database. This could include confidential data stored by the plugin or WordPress site. Since it requires at least Administrator-level access, the impact depends on the attacker's privileges, but it could lead to data breaches or unauthorized data disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to unauthorized access and extraction of sensitive personal or protected data from the database, which may result in non-compliance with data protection regulations such as GDPR or HIPAA. Organizations affected by this vulnerability might face legal and regulatory consequences if personal data is exposed due to exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring for attempts to exploit the SQL Injection vulnerability in the export_csv() function of the ClickWhale plugin. Since the vulnerability involves manipulation of POST parameters, particularly the 'columns' parameter during CSV export, you can inspect HTTP POST requests to the plugin's export endpoint for suspicious or malformed input. Commands to detect such activity could include using web server logs or network traffic analysis tools to search for POST requests containing SQL syntax or unusual parameters. For example, using grep on web server logs: `grep -i 'export_csv' /var/log/apache2/access.log | grep -E "(union|select|insert|update|delete|--|;|')"` to find potential SQL injection attempts. Additionally, monitoring WordPress logs or plugin-specific logs for errors related to CSV export or unexpected input could help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ClickWhale plugin to version 2.5.1 or later, as this version includes fixes that improve input sanitization and validation in the export_csv() function, preventing SQL injection. If updating is not immediately possible, restrict access to the plugin's export functionality to trusted administrator users only, and monitor for suspicious activity. Additionally, consider applying web application firewall (WAF) rules to block SQL injection patterns targeting the plugin's export endpoint. [1]