{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10682", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-18T12:26:16.591Z", "datePublished": "2025-10-15T08:26:05.267Z", "dateUpdated": "2026-04-08T17:30:37.358Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:37.358Z"}, "affected": [{"vendor": "tariffuxx", "product": "TARIFFUXX", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode."}], "title": "TARIFFUXX <= 1.4 - Authenticated (Contributor+) SQL Injection via tariffuxx_configurator Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e897a83b-d746-427d-8c31-64d4eab5848e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_admin.php#L36"}, {"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_twl.php#L164"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465105/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-14T20:00:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:15:20.293526Z", "id": "CVE-2025-10682", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:16:04.019Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10682", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T13:15:20.293526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:15:32.451Z"}}], "cna": {"title": "TARIFFUXX <= 1.4 - Authenticated (Contributor+) SQL Injection via tariffuxx_configurator Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "tariffuxx", "product": "TARIFFUXX", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T20:00:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e897a83b-d746-427d-8c31-64d4eab5848e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_admin.php#L36"}, {"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_twl.php#L164"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465105/"}], "descriptions": [{"lang": "en", "value": "The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:37.358Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10682", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:37.358Z", "dateReserved": "2025-09-18T12:26:16.591Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:26:05.267Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode."}], "id": "CVE-2025-10682", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:41.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_admin.php#L36"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_twl.php#L164"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3465105/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e897a83b-d746-427d-8c31-64d4eab5848e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:17:19.942857+00:00", "value": {"mitigation_remediation": ["Upgrade the TARIFFUXX plugin to the latest available version, which includes the SQL injection fix.", "If an upgrade cannot be performed immediately, remove the tariffuxx_configurator shortcode or strip the id attribute so that no user input reaches the database query.", "Ensure that only trusted users have Contributor or higher roles and enforce strong passwords to reduce the chance that an attacker gains the necessary access."], "summary": {"action": "Update Plugin", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the TARIFFUXX plugin for WordPress. All installed versions up to and including 1.4 are susceptible; no other WordPress core components are impacted.", "description_and_impact": "The TARIFFUXX WordPress plugin is vulnerable to SQL Injection in versions 1.4 and earlier due to insufficient neutralization of user\u2013supplied input. The flaw allows an authenticated user with Contributor-level or higher access to inject malicious SQL via the id attribute of the tariffuxx_configurator shortcode, potentially enabling unauthorized extraction of data from the database and compromising confidentiality.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1% suggests a very low exploitation probability at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access, so an attacker must possess Contributor or higher credentials, typically by inserting a crafted id value into the shortcode within the WordPress administration interface. Once authenticated, the attacker could extract sensitive database content."}}}}, "created": "2025-10-20T13:27:08.249074+00:00", "updated": "2026-04-21T02:30:25.819540+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}