CVE-2025-13724: VikRentCar WordPress Plugin SQLi Flaw

CVE-2025-13724 Overview

CVE-2025-13724 is a time-based blind SQL Injection vulnerability in the VikRentCar Car Rental Management System plugin for WordPress. The flaw affects all versions up to and including 1.4.4. It exists in the month parameter handled by admin/views/overv/view.html.php, where the plugin fails to escape user-supplied input and does not prepare the SQL query correctly. Authenticated attackers with Administrator-level access or above can append SQL fragments to the existing query and extract data from the WordPress database. The vulnerability is tracked under CWE-89 (SQL Injection).

Critical Impact

Authenticated administrators can exfiltrate sensitive database contents, including user credentials and session data, through time-based blind SQL queries.

Affected Products

• VikRentCar Car Rental Management System plugin for WordPress, all versions up to and including 1.4.4
• WordPress sites running the vulnerable plugin with administrator accounts
• Sites where Administrator privileges are delegated to multiple users or third-party operators

Discovery Timeline

• 2025-12-02 - CVE-2025-13724 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-13724

Vulnerability Analysis

The vulnerability resides in the administrative overview view of the VikRentCar plugin, specifically in admin/views/overv/view.html.php around line 195. The month parameter is read from the HTTP request and concatenated into a SQL query without parameterized binding or proper escaping. Because the result of the query is not directly reflected to the attacker, exploitation relies on time-based blind techniques. An attacker injects payloads that trigger conditional SLEEP() or BENCHMARK() operations, then infers data byte-by-byte from server response latency. Successful exploitation yields read access to any table the WordPress database user can reach, including wp_users, wp_usermeta, and plugin-specific tables containing rental and customer data.

Root Cause

The root cause is insufficient input sanitization combined with the absence of prepared statements. The month value is treated as a trusted string and inserted into the SQL statement directly. WordPress provides $wpdb->prepare() for parameterized queries, but the plugin code does not use it on this code path. This pattern matches CWE-89, Improper Neutralization of Special Elements used in an SQL Command.

Attack Vector

Exploitation is network-based and requires an authenticated session with Administrator privileges. The attacker submits a crafted request to the plugin's overview view with a malicious month parameter containing a time-based blind SQL Injection payload. The payload conditions a delay on the truth value of a sub-query, allowing the attacker to read arbitrary database content one bit at a time. Because the precondition is administrator-level access, the practical risk surfaces in multi-admin environments, compromised privileged accounts, or hosting platforms where lower-trust operators receive admin roles.

For source-level context, see the vulnerable code in the WordPress Plugin Admin View and the corresponding WordPress Plugin Source Code. A description of the fix is documented in the WordPress Change Set History and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-13724

Indicators of Compromise

• Authenticated requests to the VikRentCar overview view containing SQL keywords in the month parameter, such as SLEEP, BENCHMARK, SELECT, UNION, or IF(.
• Unusually long response times on admin-ajax.php or admin pages associated with the plugin.
• Repeated administrator requests with incrementing payloads, indicating bit-by-bit blind extraction.
• Web server access logs showing administrator IP addresses issuing hundreds or thousands of similar requests in a short window.

Detection Strategies

• Inspect HTTP request logs for non-numeric values in the month parameter supplied to VikRentCar admin views.
• Correlate slow database queries with administrator session activity using MySQL slow query logs.
• Deploy a Web Application Firewall (WAF) rule that blocks SQL metacharacters and time-delay functions in plugin parameters.

Monitoring Recommendations

• Enable WordPress audit logging to record administrator actions and parameter values on plugin pages.
• Forward web server, PHP, and MySQL logs to a centralized analytics platform for retroactive hunting.
• Alert on administrator accounts generating outbound queries that deviate from baseline volume or timing.

How to Mitigate CVE-2025-13724

Immediate Actions Required

• Upgrade the VikRentCar Car Rental Management System plugin to a version newer than 1.4.4 as soon as the vendor releases a patched build.
• Audit all WordPress accounts with Administrator privileges and remove unnecessary elevated access.
• Rotate WordPress database credentials and administrator passwords if exploitation is suspected.
• Review database contents for unauthorized reads by inspecting query logs and recent admin sessions.

Patch Information

The fix is referenced in the WordPress Change Set History for the VikRentCar plugin. Site operators should monitor the official plugin page on WordPress.org and apply the post-1.4.4 release that introduces prepared statements for the month parameter. Additional remediation guidance is published in the Wordfence Vulnerability Report.

Workarounds

• Restrict access to /wp-admin/ by IP allowlist until the plugin is updated.
• Deploy a WAF signature that rejects requests containing SQL keywords or time-delay functions in the month parameter.
• Disable or remove the VikRentCar plugin on sites that do not actively use car rental functionality.
• Enforce multi-factor authentication on every WordPress administrator account to reduce abuse of stolen credentials.

# Example WAF rule (ModSecurity) blocking SQLi patterns in the month parameter
SecRule ARGS:month "@rx (?i)(sleep\(|benchmark\(|union\s+select|--|;)" \
    "id:1013724,phase:2,deny,status:403,msg:'CVE-2025-13724 VikRentCar SQLi attempt'"