CVE-2025-13724 is a SQL Injection vulnerability classified under CWE-89, found in the VikRentCar Car Rental Management System plugin for WordPress, affecting all versions up to 1.4.4. The vulnerability arises from insufficient escaping and lack of prepared statements when processing the 'month' parameter in SQL queries. This improper neutralization of special SQL elements allows an authenticated attacker with Administrator privileges to inject additional SQL commands into existing queries. The attack vector is network-based, requiring no user interaction but does require administrative access, which limits the attack surface but does not eliminate risk. The vulnerability is time-based blind SQL Injection, meaning attackers can infer data by measuring response times, enabling extraction of sensitive information such as user credentials, booking details, or payment information stored in the database. The plugin is widely used in WordPress environments managing car rental services, making the vulnerability relevant to organizations relying on this software. No patches or official fixes are currently available, and no exploits have been observed in the wild, but the vulnerability's presence in a critical business application elevates its risk profile. The CVSS 3.1 score of 7.5 reflects high confidentiality impact, low attack complexity, and no requirement for user interaction.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive customer and business data, including personal identification, payment information, and rental records. This breach of confidentiality could result in regulatory penalties under GDPR, reputational damage, and financial losses. Since the vulnerability requires administrator-level access, the risk is heightened if internal accounts are compromised or if attackers gain administrative credentials through phishing or other means. The car rental industry is significant in Europe, with many SMEs and large enterprises relying on WordPress plugins like VikRentCar for booking management. A successful attack could disrupt business operations indirectly by eroding customer trust and triggering compliance investigations. Additionally, attackers could leverage extracted data for further targeted attacks or fraud. The lack of known exploits reduces immediate risk but does not preclude future exploitation, especially as attackers often develop exploits after vulnerability disclosure.

European organizations using VikRentCar should immediately audit their WordPress installations for the plugin version and restrict administrator access to trusted personnel only. Implementing strict access controls and multi-factor authentication for admin accounts can reduce the risk of credential compromise. Since no official patch is currently available, organizations should consider temporarily disabling the plugin or restricting access to the vulnerable functionality via web application firewalls (WAF) with custom rules to detect and block suspicious SQL injection patterns targeting the 'month' parameter. Regular database backups and monitoring for unusual query patterns or access logs can help detect exploitation attempts early. Organizations should also engage with the vendor or community to track patch releases and apply updates promptly once available. Additionally, conducting internal security training to prevent credential theft and maintaining updated intrusion detection systems will further mitigate risk.