Description
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: 6.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CBX Bookmark & Favorite plugin for WordPress contains a generic SQL Injection vulnerability that originates from an insufficiently escaped `orderby` query parameter. An attacker who is authenticated with at least Subscriber level privileges can include additional SQL fragments in that parameter, allowing the attacker to augment the original clause and run arbitrary queries against the WordPress database. This can result in the extraction of sensitive information, such as user credentials or site content, and compromises confidentiality and integrity. The flaw is a classic CWE‑89 injection weakness that arises because the application fails to properly prepare or sanitize user input before incorporating it into a database request.

Affected Systems

The vulnerability affects all versions of the CBX Bookmark & Favorite WordPress plugin up to and including 2.0.4. The problem was discovered in the plugin developed by manchumahara, and no other product versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of 6% suggests that the exploit has a non‑negligible probability of being employed in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must possess at least Subscriber level access to exploit the flaw, but the permissiveness of the platform means many sites may grant these rights; once authenticated, the attacker can manipulate the orderby parameter and extract data, potentially across the entire database. Given the lack of an immediate public fix, the risk remains significant for sites that have not upgraded their plugin.

Generated by OpenCVE AI on May 1, 2026 at 05:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CBX Bookmark & Favorite to a version newer than 2.0.4 that eliminates the unsanitized orderby parameter.
  • Restrict WordPress users who can interact with this plugin to elevated roles such as Administrator or Editor, thereby preventing Subscriber‑level attackers from triggering the injection.
  • Validate and escape any user‑supplied data for the orderby parameter, ensuring it contains only acceptable column names or ordering directives before inclusion in SQL queries.

Generated by OpenCVE AI on May 1, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title CBX Bookmark & Favorite <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:54.481Z

Reserved: 2025-11-25T11:26:54.894Z

Link: CVE-2025-13652

cve-icon Vulnrichment

Updated: 2026-01-06T15:34:17.256Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T04:15:52.740

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses