CVE-2024-12025 is a SQL Injection vulnerability identified in the Collapsing Categories plugin for WordPress, maintained by robfelty. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping and lack of prepared statements in handling the 'taxonomy' parameter of the plugin's REST API endpoint (/wp-json/collapsing-categories/v1/get). This flaw allows unauthenticated remote attackers to append arbitrary SQL queries to the existing database query, enabling extraction of sensitive data such as user credentials, configuration details, or other confidential information stored in the WordPress database. The vulnerability affects all versions up to and including 3.0.8. The CVSS v3.1 base score is 7.5, reflecting a high severity with network attack vector, no privileges required, no user interaction, and a high impact on confidentiality but no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability's exploitation scope is broad due to the widespread use of WordPress and its plugins, making it a significant risk for websites relying on this plugin for taxonomy management.

The primary impact of CVE-2024-12025 is unauthorized disclosure of sensitive information from the WordPress database. Attackers exploiting this vulnerability can extract confidential data such as user credentials, personal information, or site configuration details, potentially leading to further compromise or data breaches. Since the vulnerability requires no authentication and can be triggered remotely, it significantly increases the attack surface for affected websites. While the vulnerability does not directly affect data integrity or availability, the exposure of sensitive data can lead to reputational damage, regulatory penalties, and loss of customer trust. Organizations running WordPress sites with the Collapsing Categories plugin are at risk of targeted attacks, especially those handling sensitive user data or operating in regulated industries. The lack of known active exploits provides a window for proactive mitigation, but the ease of exploitation and high confidentiality impact necessitate urgent attention.

1. Immediate mitigation involves disabling or removing the Collapsing Categories plugin until a secure patched version is released. 2. Monitor official plugin repositories and vendor announcements for updates or patches addressing CVE-2024-12025 and apply them promptly. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable REST API endpoint, especially those containing SQL injection patterns in the 'taxonomy' parameter. 4. Restrict access to the REST API endpoint via IP whitelisting or authentication mechanisms where feasible to reduce exposure. 5. Conduct regular security audits and database monitoring to detect unusual query patterns or data exfiltration attempts. 6. Educate site administrators on the risks of installing unvetted plugins and maintaining up-to-date software. 7. Implement least privilege principles for database users to limit the impact of potential SQL injection attacks. 8. Backup website and database regularly to enable recovery in case of compromise.