CVE-2025-13652 identifies a SQL Injection vulnerability in the CBX Bookmark & Favorite plugin for WordPress, present in all versions up to and including 2.0.4. The vulnerability stems from improper neutralization of special elements in the 'orderby' parameter, which is used in SQL queries without adequate escaping or prepared statements. Authenticated attackers with Subscriber-level privileges or higher can exploit this flaw by injecting additional SQL commands appended to legitimate queries. This allows unauthorized extraction of sensitive information from the backend database, such as user data or configuration details. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 6.5, reflecting medium severity with high confidentiality impact but no impact on integrity or availability. While no public exploits have been reported, the ease of exploitation and common use of WordPress make this a notable risk. The vulnerability highlights the importance of secure coding practices, especially input validation and use of parameterized queries in WordPress plugin development.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, which can include user credentials, personal data, and site configuration. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can facilitate further attacks such as privilege escalation, phishing, or targeted exploitation of other vulnerabilities. Organizations running websites with the affected plugin risk data leakage, reputational damage, and potential regulatory non-compliance if personal data is exposed. Since exploitation requires only Subscriber-level access, attackers can leverage compromised or low-privilege accounts to escalate their capabilities. The widespread use of WordPress globally means that many organizations, especially small to medium businesses and content publishers, could be affected. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

1. Immediately update the CBX Bookmark & Favorite plugin to a patched version once released by the vendor. Monitor official channels for patch announcements. 2. Until a patch is available, restrict Subscriber-level user permissions and audit existing accounts to minimize potential attackers. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'orderby' parameter. 4. Employ strict input validation and sanitization on all user-supplied parameters in custom code or plugin extensions. 5. Use parameterized queries or prepared statements in plugin development to prevent SQL injection vulnerabilities. 6. Regularly audit WordPress plugins for security issues and remove unused or unmaintained plugins. 7. Monitor database query logs for anomalous or unexpected queries that could indicate exploitation attempts. 8. Educate site administrators on the risks of granting unnecessary privileges and the importance of timely updates.