CVE-2025-13782 identifies a SQL injection vulnerability in the taosir WTCMS content management system, specifically within the delete function of the SlideController component (file: application/Admin/Controller/SlideController.class.php). The vulnerability is triggered by manipulation of the 'ids' parameter, which is not properly sanitized before being used in SQL queries. This allows remote attackers to inject malicious SQL statements, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires no authentication or user interaction, increasing its risk profile. The product follows a rolling release approach, making it difficult to pinpoint affected versions beyond the specified commit hash. Despite the vendor being notified, no patches or updates have been issued. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, lack of authentication, and partial impact on confidentiality, integrity, and availability. Although no confirmed exploits are reported in the wild, public exploit code exists, increasing the likelihood of exploitation. This vulnerability poses a significant risk to organizations relying on WTCMS for web content management, especially if sensitive data is stored or processed.

For European organizations, exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive data, data corruption, or denial of service conditions affecting web applications running WTCMS. This could lead to data breaches involving personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The ability to execute arbitrary SQL commands remotely without authentication increases the attack surface and potential for widespread compromise. Organizations operating critical services or handling sensitive information through WTCMS are particularly vulnerable. Additionally, the lack of vendor response and patches heightens the risk of exploitation. The rolling release nature of WTCMS complicates patch management and vulnerability tracking, potentially delaying remediation efforts. Overall, the vulnerability could disrupt business operations, compromise data integrity, and expose organizations to compliance violations.

European organizations using taosir WTCMS should implement immediate mitigations to reduce risk. First, apply strict input validation and sanitization on the 'ids' parameter within the SlideController delete function, ideally by using parameterized queries or prepared statements to prevent SQL injection. If source code modification is not feasible, deploy a Web Application Firewall (WAF) with custom rules to detect and block malicious SQL injection payloads targeting the vulnerable endpoint. Monitor database logs and web server access logs for suspicious activity indicative of injection attempts. Conduct thorough code reviews and security testing on all user input handling components. Organizations should also consider isolating the WTCMS environment and restricting database user privileges to limit potential damage. Engage with the vendor or community to obtain updates or patches as they become available. Finally, maintain regular backups and have an incident response plan ready to address potential exploitation.