CVE-2025-13370

Description

The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection in all versions up to and including 0.3.0. The vulnerability resides in the 'id' parameter, where insufficient escaping and lack of prepared statements allow attackers to inject malicious SQL code. This type of injection enables querying the database asynchronously by observing response timing differences.

Exploitation

Conditions The attack requires authenticated access with at least Editor-level privileges. The vulnerable parameter is user-supplied, and no special network position is needed beyond being able to interact with the plugin's administrative interface. Since the plugin has been closed on November 20, 2025 due to a security problem [1], exploitation may be possible on sites still running it.

Impact

An authenticated attacker can append additional SQL queries to existing ones, extracting sensitive information such as usernames, hashed passwords, or other protected data from the WordPress database. Time-based blind injection allows data exfiltration even without direct output.

Mitigation

The plugin is closed and no longer available for download [1]. Users should immediately remove or replace the plugin. No patched version exists; the only remediation is to stop using ProjectList entirely.