{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10635", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-09-17T13:13:58.985Z", "datePublished": "2025-10-08T06:00:03.943Z", "dateUpdated": "2026-04-02T12:39:50.356Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:50.356Z"}, "title": "Find Me On <= 2.0.9.1 - Subscriber+ SQL Injection", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Find Me On", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "2.0.9.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks"}], "references": [{"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"references": [{"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-08T14:17:35.590275Z", "id": "CVE-2025-10635", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T14:17:55.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10635", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-08T14:17:35.590275Z"}}}], "references": [{"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T14:17:52.105Z"}}], "cna": {"title": "Find Me On <= 2.0.9.1 - Subscriber+ SQL Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Find Me On", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.9.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:50.356Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10635", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:50.356Z", "dateReserved": "2025-09-17T13:13:58.985Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-10-08T06:00:03.943Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks"}], "id": "CVE-2025-10635", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-08T06:15:33.527", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:38:17.953580+00:00", "value": {"mitigation_remediation": ["Upgrade the Find\u202fMe\u202fOn plugin to the latest version; if the plugin has not yet been updated, consider disabling it entirely or removing it from the site.", "If the plugin must remain in use, limit the database user\u2019s permissions to SELECT only on the tables accessed by the plugin to minimize potential damage from an injection.", "Restrict access to the plugin\u2019s functionality by applying role\u2011based access controls, ensuring only administrators can interact with endpoints that accept user input.", "Monitor the WordPress logs for unusual SQL query activity or error messages that may indicate an attempt to exploit the flaw."], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the Find\u202fMe\u202fOn plugin installed and is running a version \u2264\u202f2.0.9.1 is impacted. The plugin is distributed under an unknown vendor, so all installations using this plugin version are at risk. The flaw is only exploitable by accounts that already exist on the site, so ordinary visitors who cannot authenticate are not directly affected unless additional misconfigurations allow anonymous access to the relevant endpoints.", "description_and_impact": "The Find\u202fMe\u202fOn WordPress plugin, versions up to 2.0.9.1, contains a flaw that fails to sanitize and escape a user\u2011supplied parameter before it is incorporated into a SQL statement. This omission allows any authenticated user with the Subscriber role or higher to inject arbitrary SQL into backend queries. The vulnerability is a classic example of CWE\u201189 (SQL Injection) and could enable the attacker to read, modify, or delete data in the WordPress database, potentially compromising user data and site integrity.", "risk_and_exploitability": "With a CVSS score of 7.7, the flaw is considered high severity. The EPSS metrics show a probability of exploitation of less than 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploits. Nevertheless, because the attack requires only subscriber\u2011level access\u2014roles commonly assigned to regular users\u2014the potential for exploitation is significant. Administrators should treat this as a high\u2011priority issue and act promptly to mitigate the risk."}}}}, "created": "2025-10-09T12:55:16.785791+00:00", "updated": "2026-04-28T10:45:29.421989+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-89"]}