Attack Vectors

TARIFFUXX (slug: tariffuxx) versions up to and including 1.4 contain a Medium-severity vulnerability (CVSS 6.5, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) tracked as CVE-2025-10682.

The primary attack path is through the tariffuxx_configurator shortcode. An attacker with authenticated WordPress access at the Contributor role or higher can supply a crafted id attribute to the shortcode and potentially trigger SQL Injection against the WordPress database.

Because this can be executed remotely over the network and does not require additional user interaction (UI:N), the most realistic scenarios involve compromised low-level accounts (e.g., a hijacked Contributor login) or overly broad access granted to external contractors, agencies, or temporary staff.

Security Weakness

This issue is an SQL Injection weakness caused by insufficient neutralization of user-supplied input before it is used in a database query. In practical terms, the plugin accepts input via the shortcode attribute and does not adequately constrain or sanitize it before building or executing SQL statements.

The result is that an authenticated attacker may be able to append or manipulate parts of the underlying query, enabling unauthorized retrieval of data from the database. The advisory notes the risk is focused on data confidentiality (C:H), with no direct integrity or availability impact indicated in the scoring.

Remediation: Update TARIFFUXX to version 1.5 or a newer patched release. You can reference the vendor/research details here: Wordfence vulnerability advisory.

Technical or Business Impacts

Although this is rated Medium, the potential confidentiality impact is high. Depending on what tables and data are accessible through the vulnerable query path, attackers may be able to extract sensitive information from the WordPress database, which can include customer details, internal user data, or operational information used by your website and marketing systems.

For marketing directors and executives, the business risks typically center on data exposure and compliance: unauthorized disclosure can trigger incident response costs, legal/compliance reporting obligations, customer notification requirements, and reputational damage—especially if personal data or customer contact lists are involved.

This vulnerability also increases the impact of otherwise “minor” account compromises. If a Contributor account is stolen (phishing, password reuse, or credential stuffing), the attacker may be able to use this flaw to access data far beyond what that role should normally be able to reach.

Similar Attacks

SQL Injection vulnerabilities in WordPress plugins have historically been used to access sensitive database content when input validation is weak. A relevant example is CVE-2022-45938, an SQL Injection issue affecting the WP Statistics plugin (as documented in public CVE records).