CVE-2025-10047: 
WordPress vulnerability analysis and mitigation

The Email Tracker WordPress plugin (versions up to 5.3.12) contains a SQL Injection vulnerability identified as CVE-2025-10047. The vulnerability was discovered and disclosed on October 21, 2025, affecting the Email Log, Email Open Tracking, Email Analytics & Email Management functionality. The issue stems from insufficient escaping of the 'orderby' parameter in the plugin's email list functionality (NVD, Wordfence).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 4.9 (Medium). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows authenticated attackers with Administrator-level access or higher to append additional SQL queries to existing queries. This can be exploited to extract sensitive information from the WordPress database (NVD).

Users should upgrade to a version newer than 5.3.12 once available. In the meantime, limiting administrator access and monitoring database queries can help mitigate the risk (Wordfence).