CVE-2025-10726

Name of the Vulnerable Software and Affected Versions WPRecovery versions prior to 2.1

Description The WPRecovery plugin for WordPress is affected by a SQL Injection issue due to insufficient input validation and preparation of SQL queries. Specifically, the data[id] parameter is vulnerable. This allows unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database. The result of this injection is then passed to PHP’s unlink() function, enabling attackers to delete arbitrary files on the server by injecting file paths through the SQL query.

Recommendations Update WPRecovery to version 2.1 or later.