CVE-2025-10175

MEDIUM

WP Links Page <4.9.6 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10175. PoCs published by MooseLoveti.

AI-analyzed exploit summary This repository provides a detailed writeup for CVE-2025-10175, an authenticated blind SQL injection vulnerability in the WP Links Page WordPress plugin (v4.9.6). The vulnerability arises from improper sanitization of the 'id' parameter in the wplf_update_from_previous() function, allowing attackers to exfiltrate database contents via time-based payloads.

Description

The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (1)

nomisec WRITEUP

by MooseLoveti · poc

https://github.com/MooseLoveti/WP-Links-Page-CVE-Report

View Code ZIP pw:eip

This repository provides a detailed writeup for CVE-2025-10175, an authenticated blind SQL injection vulnerability in the WP Links Page WordPress plugin (v4.9.6). The vulnerability arises from improper sanitization of the 'id' parameter in the wplf_update_from_previous() function, allowing attackers to exfiltrate database contents via time-based payloads.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WP Links Page WordPress plugin <= 4.9.6

Auth required

Prerequisites: Authenticated user with Subscriber+ privileges · Valid nonce for AJAX request

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product

https://wordpress.org/plugins/wp-links-page/

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410752%40wp-links-page&new=3410752%40wp-links-page&sfp_email=&sfph_mail=

Product

https://plugins.svn.wordpress.org/wp-links-page/trunk/wp-links-page-free.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/cb753b29-ca8c-4044-97ff-3b7e57d5de61?source=cve

Scores

CVSS v3 6.5

EPSS 0.0035

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

rico-macchi/WP Links Page < 4.9.6

Published Oct 11, 2025

Tracked Since Feb 18, 2026