CVE-2025-10582: 
WordPress vulnerability analysis and mitigation

The WP Dispatcher plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-10582) discovered in all versions up to and including 1.2.0. The vulnerability was disclosed on October 2, 2025, and affects the plugin's handling of the 'id' parameter. The issue was identified by researcher theviper17y and has been assigned a high severity CVSS score of 8.8 (NVD, Wordfence).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries, specifically in the handling of the 'id' parameter. The issue has been classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database, potentially compromising the confidentiality, integrity, and availability of the affected WordPress installation (NVD).

The plugin has been temporarily closed as of September 30, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress).