CVE-2025-13417

The Plugin Organizer WordPress plugin versions prior to 10.2.4 (fixed in 10.2.4) contain a SQL injection vulnerability. The plugin fails to properly sanitize and escape a user-supplied parameter before incorporating it into a SQL statement, directly leading to an injection flaw [1]. This issue is classified as a High severity vulnerability with a CVSS v3 score of 8.6.

Exploitation

The attack can be performed by any authenticated user with Subscriber-level privileges or higher. No special or elevated permissions beyond a standard subscriber account are required to trigger the vulnerable code path. The attacker sends a crafted request containing malicious SQL in the unsanitized parameter, which is then executed by the plugin against the WordPress database [1].

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, modify or delete data, and potentially escalate privileges or gain administrative access to the site. Given the widespread use of WordPress plugins, this vulnerability could affect many installations. Proof of concept details have been publicly released, increasing the risk of exploitation [1].

Mitigation

The vulnerability is patched in version 10.2.4 of the Plugin Organizer. Users are strongly advised to update their plugin to the latest version immediately. No workarounds are provided, and sites running an older version should treat this as a critical security risk [1].