– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13652:
This vulnerability is an authenticated SQL injection in the CBX Bookmark & Favorite WordPress plugin. Attackers with Subscriber-level access or higher can inject arbitrary SQL commands via the ‘orderby’ parameter. The flaw affects all plugin versions up to and including 2.0.4, enabling sensitive database information extraction.

The root cause lies in the cbxbookmark_post_html() function within /includes/Helpers/CBXWPBookmarkHelper.php. The function directly concatenates user-controlled input into SQL ORDER BY clauses without proper validation or escaping. Specifically, the $order_by variable (line 1304) receives user input via the ‘orderby’ parameter from $_POST. This unsanitized value is then interpolated into SQL queries at lines 1413 and 1423, where it becomes part of the ORDER BY clause. The plugin’s reliance on string concatenation rather than prepared statements for column names creates the injection vector.

Exploitation requires an authenticated WordPress user with at least Subscriber privileges. Attackers send POST requests to WordPress AJAX endpoints that invoke the vulnerable function, such as those handling bookmark listing operations. The payload is delivered via the ‘orderby’ parameter, which accepts SQL injection syntax. For example, an attacker could submit ‘orderby=id,(SELECT CASE WHEN (1=1) THEN id ELSE sleep(5) END)’ to perform time-based blind SQL injection, extracting data through conditional delays.

The patch in version 2.0.5 introduces multiple validation layers. First, it adds input sanitization using absint() for numeric parameters and esc_attr() for string parameters. Crucially, it implements an allowlist validation check: the function cbxwpbookmarks_bookmark_sortable_keys() defines permitted column names, and line 1316 validates $order_by against this list. If the input doesn’t match allowed values, it defaults to ‘id’. The patch also standardizes table name references using curly braces for clarity and adds strict comparison operators to prevent type juggling issues.

Successful exploitation allows complete database compromise within the WordPress installation’s context. Attackers can extract sensitive information including user credentials (hashed passwords), personal data, API keys, and other plugin-specific data. While the CVSS score of 6.5 reflects the authentication requirement, the impact is severe as it enables full database exfiltration through standard SQL injection techniques like UNION-based or blind injection.