CVE-2025-13000 identifies a SQL Injection vulnerability in the db-access WordPress plugin through version 0.8.7. The root cause is the absence of authorization enforcement on an AJAX action endpoint, which is accessible to any authenticated user, including those with minimal privileges such as subscribers. This improper access control allows attackers to inject malicious SQL queries, potentially extracting sensitive information from the backend database. The vulnerability is classified under CWE-89, indicating classic SQL Injection issues. The CVSS v3.1 score is 7.7 (high), reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), and a scope change (S:C) with high confidentiality impact (C:H) but no impact on integrity or availability (I:N/A:N). The vulnerability was reserved on November 11, 2025, and published on December 2, 2025. No patches or known exploits are currently available, but the vulnerability's nature suggests it could be exploited to leak sensitive data from affected WordPress sites. The db-access plugin is used to facilitate database interactions within WordPress, and this flaw undermines the security model by allowing unauthorized SQL commands through an AJAX interface.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or site configuration details. Since the attack requires only authenticated access with low privileges, it significantly lowers the barrier for exploitation by malicious insiders or compromised accounts. The lack of impact on integrity and availability means the attacker cannot modify or disrupt data or services directly, but the confidentiality breach alone can lead to further attacks such as credential theft, privilege escalation, or targeted phishing. Organizations worldwide using the db-access plugin are at risk of data breaches, regulatory non-compliance, and reputational damage. The vulnerability's network-based attack vector allows remote exploitation, increasing the threat surface. Although no exploits are currently known in the wild, the high severity and ease of exploitation make this a critical issue to address promptly.

1. Immediately restrict access to the vulnerable AJAX action by implementing strict authorization checks that verify user roles and permissions before processing requests. 2. Update the db-access plugin to a patched version once available; monitor official sources for security updates. 3. If patching is not immediately possible, disable or remove the vulnerable AJAX endpoint to prevent exploitation. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the AJAX action. 5. Conduct thorough audits of user roles and permissions to minimize the number of users with authenticated access, especially those with subscriber-level accounts. 6. Monitor database logs and web server logs for unusual query patterns or repeated failed authorization attempts. 7. Educate site administrators about the risks of granting unnecessary access and encourage regular plugin updates. 8. Consider implementing database query parameterization and input validation within custom code to reduce injection risks.