Description
The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection exposing sensitive data
Action: Apply Patch
AI Analysis

Impact

The WP Links Page plugin contains a flaw where the “id” parameter is not sufficiently escaped and the plugin does not use prepared statements. An authenticated user with Subscriber level or higher can send arbitrary SQL code that is appended to an existing SELECT query. By manipulating the parameter, the attacker can extract confidential database content, exposing sensitive site information and compromising confidentiality.

Affected Systems

The vulnerability affects the WordPress plugin WP Links Page from vendor rico-macchi, in all releases up to and including 4.9.6. Any WordPress installation that has not applied a later version is potentially exploitable. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as medium severity, while the EPSS score of less than 1% indicates a low likelihood of real-world exploitation. The flaw is not registered in the CISA KEV catalog. Exploitation requires a valid authenticated account with Subscriber rights or higher and no further software or conditions are needed. Once access is gained, the attacker can use the injection to read database tables.

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Links Page to a patched version newer than 4.9.6.
  • Restrict plugin endpoints so that only administrator accounts can use the “id” parameter, or remove the Subscriber role from sites that do not require it.
  • Perform regular security reviews and monitor database logs for anomalous queries that could indicate exploitation attempts.

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Rico Macchi
Rico Macchi wp Links Page
Wordpress
Wordpress wordpress
Vendors & Products Rico Macchi
Rico Macchi wp Links Page
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Links Page <= 4.9.6 - Authenticated (Subscriber+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Rico Macchi Wp Links Page
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:30.362Z

Reserved: 2025-09-09T14:22:12.741Z

Link: CVE-2025-10175

cve-icon Vulnrichment

Updated: 2025-10-14T18:31:58.517Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:41.977

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses