CVE-2025-13724 identifies a critical SQL Injection vulnerability in the VikRentCar Car Rental Management System plugin for WordPress, present in all versions up to and including 1.4.4. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping and lack of prepared statements for the 'month' parameter. This parameter is used in SQL queries without adequate sanitization, enabling authenticated attackers with Administrator-level privileges or higher to inject arbitrary SQL code. The attack vector is time-based blind SQL Injection, which allows attackers to infer data from the database by measuring response times, even when direct error messages are not available. This can lead to unauthorized extraction of sensitive information such as user credentials, payment data, or other confidential records stored in the database. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no user interaction, and high confidentiality impact, though integrity and availability remain unaffected. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability affects the WordPress ecosystem, which is widely used globally, particularly in small to medium-sized businesses managing car rental operations through this plugin.

The primary impact of CVE-2025-13724 is the potential unauthorized disclosure of sensitive data stored within the VikRentCar plugin's database. Attackers with administrative access can exploit the SQL Injection flaw to extract confidential information such as customer personal data, payment details, booking records, and possibly WordPress user credentials. This breach of confidentiality can lead to identity theft, financial fraud, and reputational damage for affected organizations. Although the vulnerability does not directly compromise data integrity or availability, the exposure of sensitive data can have severe legal and compliance consequences, especially under regulations like GDPR or CCPA. Organizations relying on this plugin for their car rental management face increased risk of targeted attacks, especially if administrative accounts are compromised or shared. The ease of exploitation (low complexity) and network accessibility make this a significant threat in environments where the plugin is deployed. The lack of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers before patches are available.

To mitigate CVE-2025-13724, organizations should immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Since no official patches are currently available, administrators should consider temporarily disabling or removing the VikRentCar plugin until a secure version is released. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the 'month' parameter can provide interim protection. Regularly auditing and monitoring database queries and logs for unusual activity related to the plugin is recommended. Additionally, applying the principle of least privilege by limiting database user permissions associated with the plugin can reduce potential damage from exploitation. Organizations should subscribe to vendor updates and CVE databases to promptly apply patches once released. Finally, conducting security assessments and penetration testing on WordPress installations using this plugin can help identify and remediate other potential vulnerabilities.