The ProjectList plugin for WordPress, maintained by ov3rkll, suffers from a time-based SQL Injection vulnerability identified as CVE-2025-13370. The flaw exists in the handling of the 'id' parameter, which is insufficiently escaped and improperly prepared in SQL queries. This allows attackers with authenticated access at the Editor level or above to append arbitrary SQL commands to existing queries. The injection is time-based, indicating that attackers can infer data by observing response delays caused by crafted SQL payloads. The vulnerability affects all versions up to and including 0.3.0. The CVSS 3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, required privileges at the high level (Editor), no user interaction, and high confidentiality impact but no integrity or availability impact. No patches or known exploits are currently available, but the vulnerability poses a risk of unauthorized data disclosure from the WordPress database, potentially exposing sensitive information stored therein. The root cause is improper neutralization of special elements in SQL commands (CWE-89), a common injection flaw due to insufficient input validation and lack of parameterized queries or prepared statements.

This vulnerability allows attackers with Editor or higher privileges to extract sensitive information from the WordPress database, potentially including user data, configuration details, or other confidential content. While it does not allow modification or deletion of data, unauthorized disclosure can lead to privacy breaches, compliance violations, and further targeted attacks. Organizations running websites with the vulnerable ProjectList plugin face increased risk of data leakage, especially if Editor-level accounts are compromised or misused. The attack requires authenticated access, limiting exposure to insiders or attackers who have already breached lower defenses. However, given WordPress's widespread use and the common assignment of Editor roles to trusted users, the threat remains significant. The lack of known exploits reduces immediate risk but does not eliminate the potential for future exploitation. The vulnerability does not affect system availability or integrity, but confidentiality impact is high.

Immediate mitigation involves updating the ProjectList plugin to a fixed version once released by the vendor. Until a patch is available, organizations should restrict Editor-level access to trusted users only and audit existing accounts for unnecessary privileges. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter can reduce risk. Employing principle of least privilege for WordPress roles and monitoring database query logs for anomalies are recommended. Developers should refactor the plugin code to use parameterized queries or prepared statements to prevent SQL injection. Regular security assessments and penetration testing focusing on authenticated user inputs can help identify similar vulnerabilities. Additionally, organizations should ensure backups and incident response plans are in place in case of data compromise.