Description
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that allows an authenticated author or higher to extract sensitive database information
Action: Patch
AI Analysis

Impact

The CatFolders plugin for WordPress is vulnerable to a time‑based SQL injection through the CSV Import feature in all releases up to and including 2.5.2. The vulnerability arises from insufficient escaping of user-supplied data and the absence of proper query preparation, enabling the attacker to inject additional SQL statements. This flaw is classified as CWE‑89 and permits the extraction of confidential information from the site database.

Affected Systems

This issue affects the CatFolders – WordPress Media Library Folders & Categories plugin version 2.5.2 and earlier. All installations that have not applied an update beyond 2.5.2 are susceptible, while newer or patched versions are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an EPSS score of less than 1 %, reflecting a low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers must have authenticated access at the author level or higher and must leverage the plugin’s CSV Import endpoint to supply a crafted CSV payload that exploits the injection flaw. Successful exploitation would allow data exfiltration from the WordPress database.

Generated by OpenCVE AI on April 20, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CatFolders plugin to the latest available release that removes the CSV Import vulnerability
  • If upgrading is not immediately possible, disable the CSV Import feature or restrict its use to trusted administrators only
  • Enforce stricter role management so that only trusted users possess author-level or higher privileges, reducing the number of potential attackers

Generated by OpenCVE AI on April 20, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28906 The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Catfolders
Catfolders tame Your Wordpress Media Library Plugin
Wordpress
Wordpress wordpress
Vendors & Products Catfolders
Catfolders tame Your Wordpress Media Library Plugin
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title CatFolders – Tame Your WordPress Media Library by Category <= 2.5.2 - Authenticated (Author+) SQL Injection via CSV Import
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Catfolders Tame Your Wordpress Media Library Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:53.204Z

Reserved: 2025-08-31T22:14:46.514Z

Link: CVE-2025-9776

cve-icon Vulnrichment

Updated: 2025-09-11T13:12:16.396Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T05:15:33.943

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses