CVE-2025-10163
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | list_category_posts_plugin | 0.91.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a time-based SQL Injection in the List category posts plugin for WordPress. It occurs via the 'starting_with' parameter of the catlist shortcode in all versions up to 0.91.0. The issue arises because the plugin does not properly escape user input and does not sufficiently prepare the SQL query, allowing authenticated users with Contributor-level access or higher to append additional SQL queries. This can be exploited to extract sensitive information from the database.
How can this vulnerability impact me? :
An attacker with Contributor-level access or higher can exploit this vulnerability to perform time-based SQL Injection attacks, potentially extracting sensitive information from the database. This could lead to unauthorized data disclosure and compromise of confidential information stored in the WordPress database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Contributor-level access and above to perform time-based SQL Injection, potentially extracting sensitive information from the database. Such unauthorized data access could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability may compromise compliance with these standards by exposing sensitive data. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying exploitation attempts targeting the 'starting_with' parameter in the List category posts WordPress plugin. Since the vulnerability is a time-based SQL Injection via this parameter, monitoring HTTP requests for unusual or suspicious payloads in the 'starting_with' parameter can help detect exploitation attempts. Additionally, reviewing WordPress logs or web server access logs for requests containing SQL syntax or injection patterns in this parameter is recommended. Specific commands depend on your environment, but example commands include using grep on web server logs to find suspicious requests: grep -i 'starting_with=.*(union|select|sleep|benchmark)' /var/log/apache2/access.log or using tools like curl to test the parameter with benign and malicious inputs. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the List category posts plugin to a version later than 0.91.0 where the vulnerability is fixed. If an update is not immediately available, restrict Contributor-level and above users from accessing the vulnerable shortcode or disable the plugin temporarily. Additionally, applying web application firewall (WAF) rules to block SQL injection attempts targeting the 'starting_with' parameter can help mitigate exploitation. Ensuring proper input validation and escaping in custom code or plugin overrides is also recommended. Since the vulnerability arises from insufficient escaping of the 'starting_with' parameter, avoiding use of this parameter or sanitizing its input can reduce risk. [1]