CVE Alert: CVE-2025-10582 – ekndev – WP Dispatcher
CVE-2025-10582
The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Summary Analysis
Risk verdict
High risk: authenticated SQL injection with total impact could lead to comprehensive data exposure; urgent remediation advised even if exploitation has not yet been observed.
Why this matters
Contributors+ can already trigger the vulnerability over the web, enabling attackers to access sensitive database contents or alter data. For organisations hosting WordPress sites, this threatens customer data, regulatory compliance, and reputational risk; rapid exploitation could occur without user interaction beyond existing editorial access.
Most likely attack path
An attacker with Contributor+ rights sends crafted requests to the vulnerable endpoint, abusing insufficient input sanitisation in the id parameter. The flaw allows SQL injection at the database level over standard web traffic, with no UI prompts required and a low barrier to success; impact remains within the affected component.
Who is most exposed
Sites using the affected plugin in production WordPress deployments, especially those with staff or editors holding Contributor+ permissions, and managed hosting environments hosting multiple sites with shared credentials.
Detection ideas
- Web logs show unusual SQL fragments in id parameter queries.
- Database logs reveal injected SQL or abnormal query shapes tied to the plugin’s endpoint.
- Increased error messages or database error codes indicating injection attempts.
- Spike in requests to the plugin endpoint with targeted id values from authenticated accounts.
- WAF alerts for SQL injection payloads involving the id parameter.
Mitigation and prioritisation
- Patch to the latest version or disable the plugin until fixed.
- Enforce least privilege: restrict Contributor+ access; review active editor accounts.
- Apply WAF rules or input validation to block SQL injection patterns on the affected parameter.
- Ensure the WordPress database user uses least-privilege permissions; restrict schema access.
- Test fix in staging, schedule production deployment, and verify backups; monitor post-deploy for anomalous queries.
- Data on KEV/EPSS not provided; if EPSS ≥ 0.5 treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
