CVE-2025-13652 is a SQL Injection vulnerability identified in the CBX Bookmark & Favorite plugin for WordPress, affecting all versions up to and including 2.0.4. The root cause is insufficient escaping and lack of prepared statements for the 'orderby' parameter, which is user-supplied. This flaw allows authenticated attackers with Subscriber-level access or higher to append malicious SQL code to existing queries. Since the vulnerability does not require higher privileges than Subscriber and no user interaction, it lowers the barrier for exploitation. The injected SQL commands can be used to extract sensitive information from the underlying database, compromising confidentiality. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity with network attack vector, low attack complexity, and partial privileges required. No known public exploits or patches are currently available, increasing the urgency for proactive mitigation. The vulnerability falls under CWE-89, which is a common and critical class of injection flaws that can lead to data breaches and unauthorized data access.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user information, credentials, or business-critical content. Since the attack requires only Subscriber-level access, attackers can exploit compromised or low-privilege accounts to escalate their impact. This can undermine trust, cause regulatory compliance issues under GDPR due to data leakage, and potentially facilitate further attacks by exposing internal data. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially for organizations with public-facing WordPress sites using this plugin. The impact is primarily on confidentiality, with no direct integrity or availability effects reported. However, data exposure can have cascading effects on business operations and reputation.

European organizations should immediately audit their WordPress installations to identify the presence of the CBX Bookmark & Favorite plugin and its version. Since no official patches are currently available, temporary mitigations include restricting Subscriber-level user capabilities to prevent exploitation, disabling or removing the plugin if not essential, and applying web application firewall (WAF) rules to detect and block suspicious 'orderby' parameter usage. Monitoring database logs for unusual query patterns can help detect attempted exploitation. Organizations should also enforce strong authentication and account management policies to reduce the risk of account compromise. Keeping WordPress core and all plugins updated is critical, and organizations should watch for vendor patches or updates addressing this vulnerability. Finally, conducting regular security assessments and penetration tests can help identify and remediate similar injection flaws.