Overview
This article details a medium-severity SQL Injection vulnerability identified as CVE-2025-13370, affecting the ProjectList WordPress plugin. All versions up to, and including, 0.3.0 are vulnerable. This flaw allows authenticated attackers with Editor-level access (or higher) to inject arbitrary SQL queries into existing queries, potentially leading to sensitive data extraction from the WordPress database.
Technical Details
CVE-2025-13370 is a time-based SQL Injection vulnerability found within the ‘id’ parameter of the ProjectList plugin. The vulnerability stems from inadequate input sanitization and insufficient preparation of the SQL query when processing the ‘id’ parameter. Specifically, the plugin fails to properly escape user-supplied data before incorporating it into the SQL query. An attacker can leverage this weakness by crafting malicious SQL code within the ‘id’ parameter. The vulnerable code exists, for example, in the `pl-add.php` file within the plugin’s directory.
The specific lines of code responsible are located around line 61 in both the tagged version (0.3.0) and trunk version of the plugin:
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13370 a score of 4.9, indicating a Medium severity. This score reflects the following factors:
- Attack Vector: Network (AV:N)
- Attack Complexity: High (AC:H) – Exploitation requires careful crafting of SQL injection payloads.
- Privileges Required: High (PR:H) – Requires Editor-level access or higher.
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: Low (C:L)
- Integrity Impact: None (I:N)
- Availability Impact: None (A:N)
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Data Breach: An attacker can extract sensitive information from the WordPress database, including user credentials, configuration details, and other confidential data.
- Limited Impact: Given the requirement of Editor-level access and above, the risk is mitigated by the limited number of users with these privileges.
Mitigation and Patch Steps
The primary mitigation for CVE-2025-13370 is to update the ProjectList plugin to a version higher than 0.3.0, if a patched version is available. Check the WordPress plugin repository for an updated version. If an update is not available, consider temporarily disabling the plugin until a patched version is released. If you are unable to update, implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts can provide a degree of protection. However, this is not a complete solution, and updating or removing the plugin is strongly recommended.
