CVE-2025-4578: 
WordPress vulnerability analysis and mitigation

The File Provider WordPress plugin through version 1.2.3 contains a SQL injection vulnerability that affects unauthenticated users. The vulnerability was discovered on May 14, 2025, and publicly disclosed on June 4, 2025. The issue exists due to improper sanitization and escaping of a parameter that is used in SQL statements via an AJAX action (WPScan, NVD).

The vulnerability is classified as CWE-89 (SQL Injection) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically involves an AJAX action 'dfpdownloadfile' that processes the fileId parameter without proper sanitization, allowing for SQL injection attacks (WPScan).

Due to the critical severity rating and the unauthenticated nature of the vulnerability, successful exploitation could allow attackers to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or complete database compromise (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the File Provider WordPress plugin version 1.2.3 or earlier should consider disabling the plugin until a security update is released (WPScan).