CVE-2025-9776 identifies a time-based SQL Injection vulnerability in the CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress, affecting all versions up to and including 2.5.2. The flaw arises from insufficient escaping of user-supplied input in the CSV Import functionality, specifically allowing authenticated users with Author-level or higher privileges to inject malicious SQL code into existing queries. This improper neutralization of special elements (CWE-89) enables attackers to append additional SQL commands, which can be executed by the database engine. The vulnerability is time-based, meaning attackers can infer data by measuring response delays, facilitating extraction of sensitive information such as user data, configuration details, or other database contents. The vulnerability requires authentication but no additional user interaction, and the attack surface is limited to sites using this plugin. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, and high confidentiality impact, but no impact on integrity or availability. No patches or known exploits are currently documented, but the risk remains significant for affected installations.

The primary impact of CVE-2025-9776 is unauthorized disclosure of sensitive information stored in the WordPress database, which can include user credentials, personal data, or site configuration details. This can lead to privacy violations, compliance issues, and potential further attacks leveraging the extracted data. Since the vulnerability requires authenticated access at Author-level or above, the risk is elevated in environments with multiple contributors or less restrictive role assignments. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can undermine trust and lead to reputational damage. Organizations relying on the CatFolders plugin for media management are at risk, especially those with high-value or sensitive content. The absence of known exploits in the wild suggests limited immediate threat, but the ease of exploitation and network accessibility warrant proactive mitigation.

To mitigate CVE-2025-9776, organizations should first verify if they use the CatFolders plugin and identify the version in use. Since no official patch is currently available, administrators should consider temporarily disabling the CSV Import feature or the plugin itself if feasible. Restricting user roles to minimize Author-level or higher privileges reduces the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block SQL Injection patterns in requests targeting the CSV Import endpoint can provide additional protection. Monitoring database query logs for unusual or time-delayed queries may help detect exploitation attempts. Developers and site administrators should apply strict input validation and escaping on all user-supplied data, especially in import functionalities. Staying updated with vendor advisories for forthcoming patches is critical. Finally, conducting regular security audits and penetration tests focusing on plugin vulnerabilities can help identify and remediate similar issues.