CVE-2025-13652 Overview
The CBX Bookmark & Favorite plugin for WordPress contains a SQL Injection vulnerability in the orderby parameter affecting all versions up to and including 2.0.4. This vulnerability arises from insufficient escaping of user-supplied input and a lack of proper SQL query preparation, allowing authenticated attackers with Subscriber-level access or above to append malicious SQL queries and extract sensitive information from the WordPress database.
Critical Impact
Authenticated attackers can exploit this SQL Injection vulnerability to extract sensitive database contents including user credentials, personal information, and other confidential data stored in the WordPress database.
Affected Products
- CBX Bookmark & Favorite plugin for WordPress versions up to and including 2.0.4
Discovery Timeline
- 2026-01-06 - CVE CVE-2025-13652 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13652
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists due to improper handling of the orderby parameter within the CBX Bookmark & Favorite plugin. The plugin fails to properly sanitize and escape user-supplied input before incorporating it into SQL queries. Additionally, the existing SQL query lacks sufficient preparation using parameterized queries or prepared statements, which would normally prevent SQL injection attacks.
The vulnerability requires only Subscriber-level authentication to exploit, which represents a low privilege barrier since WordPress sites often allow user registration at this level. Once authenticated, an attacker can manipulate the orderby parameter to inject arbitrary SQL statements that will be executed by the database server.
Root Cause
The root cause of this vulnerability is twofold: insufficient input escaping on user-supplied parameters and the absence of prepared statements in the SQL query construction. The plugin directly incorporates the orderby parameter value into SQL queries without proper validation or parameterization, violating secure coding practices for database interactions.
Attack Vector
The attack is conducted over the network and requires low-privilege authentication (Subscriber level). An attacker would craft a malicious request containing SQL syntax within the orderby parameter. When processed by the plugin, the injected SQL is executed against the database, allowing the attacker to extract sensitive data through techniques such as UNION-based injection, blind SQL injection, or error-based extraction methods.
The vulnerability allows attackers to read confidential database information but does not provide write access or enable denial of service attacks. The exploitation does not require user interaction and can be performed reliably against vulnerable installations. Technical details regarding the specific injection point can be found in the WordPress Change Log Entry and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-13652
Indicators of Compromise
- Unusual or malformed requests to WordPress endpoints containing SQL syntax in the orderby parameter
- Database query logs showing unexpected SQL statements appended to legitimate queries
- Error logs indicating SQL syntax errors or database exceptions from the CBX Bookmark & Favorite plugin
- Evidence of data exfiltration or unusual SELECT queries targeting sensitive tables like wp_users
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns in request parameters
- Implement database activity monitoring to detect anomalous query patterns or unauthorized data access
- Review WordPress access logs for requests to the CBX Bookmark & Favorite plugin with suspicious parameter values
- Deploy SQL injection detection rules that specifically target the orderby parameter manipulation
Monitoring Recommendations
- Enable detailed WordPress debug logging to capture plugin-related errors and suspicious activities
- Configure database query logging to track all queries executed by the WordPress application
- Set up alerts for multiple failed or unusual database queries originating from plugin functionality
- Monitor for bulk data extraction patterns that may indicate successful exploitation
How to Mitigate CVE-2025-13652
Immediate Actions Required
- Update the CBX Bookmark & Favorite plugin to the latest patched version immediately
- Audit WordPress user accounts and remove unnecessary Subscriber-level accounts
- Review database logs for signs of prior exploitation attempts
- Consider temporarily disabling the plugin if an immediate update is not possible
Patch Information
A security fix has been released for this vulnerability. Administrators should update the CBX Bookmark & Favorite plugin to a version newer than 2.0.4. The patch details can be reviewed in the WordPress Plugin Changeset 3413499. Additional vulnerability information is available from the Wordfence Threat Intelligence Report.
Workarounds
- Implement a Web Application Firewall (WAF) with SQL injection protection rules targeting the orderby parameter
- Restrict user registration to prevent creation of Subscriber accounts if not required for site functionality
- Apply additional input validation at the web server level for requests to plugin endpoints
- Monitor and limit database permissions for the WordPress database user to minimize potential impact
# Verify current plugin version in WordPress
wp plugin list --name=cbx-bookmark-favorite --fields=name,version,update_available
# Update the vulnerable plugin to latest version
wp plugin update cbx-bookmark-favorite
# Alternatively, disable the plugin until patch can be applied
wp plugin deactivate cbx-bookmark-favorite
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
