Description
The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Theft via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The List Category Posts plugin contains a time‑based SQL Injection flaw in the starting_with parameter of the catlist shortcode. Insufficient input escaping and lack of prepared statements allow an authenticated contributor or higher to append arbitrary SQL to existing queries, enabling extraction of sensitive database contents. This weakness is formally categorized as CWE‑89, indicating a classic SQL injection risk that can compromise confidentiality by leaking user data, site configuration, and content.

Affected Systems

WordPress sites that are running the List Category Posts plugin with a version of 0.91.0 or earlier are affected. The plugin is maintained by the author fernanobt and is deployed via the WordPress Plugins repository. Any site that has granted Contributor‑level access to users and has the unpatched plugin version installed is at risk.

Risk and Exploitability

The CVSS score of 6.5 signals substantial impact, yet the EPSS score of < 1% indicates a very low current likelihood that attackers will exploit this flaw. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate with at least Contributor privileges and then supply a crafted starting_with value through the catlist shortcode. No publicly available exploit code has been documented, but the existence of the flaw means that any Contributor on the site could potentially leak data if the plugin remains unpatched.

Generated by OpenCVE AI on April 22, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the List Category Posts plugin to a version newer than 0.91.0 or remove the plugin if an update is unavailable.
  • Restrict Contributor access to the catlist shortcode until the plugin is updated or removed.
  • Audit the database for suspicious query patterns that may indicate injection activity, and review user accounts with Contributor privileges.
  • Implement a web application firewall rule that detects and blocks payloads attempting to inject SQL into the starting_with parameter of the catlist shortcode.

Generated by OpenCVE AI on April 22, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Fernandobriano
Fernandobriano list Category Posts
Wordpress
Wordpress wordpress
Vendors & Products Fernandobriano
Fernandobriano list Category Posts
Wordpress
Wordpress wordpress

Thu, 11 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title List Category Posts <= 0.91.0 - Authenticated (Contributor+) SQL Injection via Plugin's Shortcode
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fernandobriano List Category Posts
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:26.275Z

Reserved: 2025-09-09T13:18:09.330Z

Link: CVE-2025-10163

cve-icon Vulnrichment

Updated: 2025-12-11T15:33:40.079Z

cve-icon NVD

Status : Deferred

Published: 2025-12-11T04:15:57.957

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses