CVE-2025-13370 identifies a SQL Injection vulnerability in the ProjectList plugin for WordPress, affecting all versions up to and including 0.3.0. The flaw arises from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping of the 'id' parameter supplied by users. This parameter is used in SQL queries without adequate preparation or parameterization, enabling attackers with Editor-level or higher privileges to append malicious SQL code. The attack vector is time-based SQL Injection, which allows an attacker to infer database content by measuring response delays. Exploitation requires authenticated access with elevated privileges but does not require user interaction beyond that. The vulnerability compromises confidentiality by allowing unauthorized data extraction but does not affect data integrity or availability. The CVSS 3.1 score of 4.9 reflects a medium severity, considering the network attack vector, low attack complexity, and requirement for high privileges. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability was reserved and published in November 2025 by Wordfence. Given the widespread use of WordPress in Europe and the potential for sensitive data exposure, this vulnerability poses a moderate risk to organizations using the affected plugin.

For European organizations, the primary impact of CVE-2025-13370 is the potential unauthorized disclosure of sensitive data stored in WordPress databases via the ProjectList plugin. Since exploitation requires Editor-level access, the threat is mainly from insider threats or compromised accounts with elevated privileges. Confidentiality breaches could expose customer data, intellectual property, or internal business information, leading to reputational damage, regulatory penalties (e.g., GDPR violations), and potential financial losses. The vulnerability does not directly affect data integrity or availability, so operational disruption is unlikely. However, attackers could leverage extracted information for further attacks or lateral movement within the network. Organizations with extensive WordPress deployments, especially those using the ProjectList plugin, face increased risk. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially if attackers develop automated tools. European entities in sectors with strict data protection requirements (finance, healthcare, government) are particularly vulnerable to the confidentiality impact.

1. Immediately audit and restrict Editor-level and higher privileges to trusted personnel only, minimizing the attack surface. 2. Implement strict input validation and sanitization on the 'id' parameter at the application or web server level as a temporary workaround. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the ProjectList plugin. 4. Monitor WordPress logs and database query logs for unusual or time-delayed responses indicative of time-based SQL injection attempts. 5. Regularly update WordPress core and plugins, and apply the official patch from the vendor once released. 6. Conduct security awareness training emphasizing the risks of privilege misuse and credential compromise. 7. Consider isolating WordPress instances or using database access controls to limit the impact of potential data extraction. 8. Use multi-factor authentication to reduce the risk of account compromise for users with elevated privileges.