CatFolders – Tame Your WordPress Media Library by Category < 2.5.3 – Authenticated (Author+) SQL Injection via CSV Import | CVE 2025-9776 | Plugin Vulnerabilities

Description

The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Fixed in 2.5.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e585998a-d78f-4923-865c-c3a9820b583f

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

SnailSploit

Verified

No

WPVDB ID

bea1643d-6107-43f0-bb5b-0771d9deb985

Timeline

Publicly Published

2025-09-10 (about 8 months ago)

Added

2025-09-10 (about 8 months ago)

Last Updated

2025-09-11 (about 8 months ago)

Other

Published

Title

Published

2025-02-18

Title

LTL Freight Quotes – SAIA Edition < 2.2.11 - Unauthenticated SQL Injection

Published

2024-10-21

Title

WP Sessions Time Monitoring Full Automatic < 1.1.0 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Mingle Forum <= 1.0.31 - SQL Injection

Published

2024-08-07

Title

Slider by 10Web – Responsive Image Slider < 1.2.58 - Authenticated (Contributor+) SQL Injection via id Parameter

Published

2019-07-25

Title

Blog2Social < 5.6.0 - SQL Injection