CVE-2025-10682
📋 TL;DR
The TARIFFUXX WordPress plugin versions up to 1.4 contain a SQL injection vulnerability that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. Attackers can exploit this by crafting malicious input in the 'tariffuxx_configurator' shortcode's id attribute. This affects all WordPress sites using vulnerable versions of the TARIFFUXX plugin.
💻 Affected Systems
- WordPress TARIFFUXX plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive user data, administrative credentials, and potentially full site takeover if database credentials are exposed.
Likely Case
Extraction of sensitive information from the database such as user credentials, personal data, or plugin configuration details.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of WordPress shortcode structure. The vulnerability is in user-supplied input handling within SQL queries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.4 (check plugin repository for latest)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/tariffuxx
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find TARIFFUXX plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin immediately.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict Contributor-level access to prevent exploitation while patching.
Disable Shortcode
allRemove or disable the 'tariffuxx_configurator' shortcode from posts/pages.
🧯 If You Can't Patch
- Immediately deactivate and remove the TARIFFUXX plugin from all WordPress installations
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the tariffuxx_configurator shortcode
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for TARIFFUXX plugin version 1.4 or earlier.Check Version:
wp plugin list --name=tariffuxx --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.4 and check that the vulnerable code lines referenced in CVE are no longer present.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries containing tariffuxx_configurator references
- Multiple failed SQL queries from Contributor-level users
- Suspicious POST requests to WordPress with crafted id parameters
Network Indicators:
- HTTP requests containing SQL injection patterns in id parameter
- Unusual database connection patterns from web server
SIEM Query:
source="wordpress.log" AND ("tariffuxx_configurator" OR "tariffuxx") AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "UPDATE")