SQL Injection Vulnerability in Plugin Organizer by WordPress
CVE-2025-13417

8.6HIGH

Key Information:

Vendor: WordPress
Status: Plugin Organizer
Vendor: CVE Published:; 29 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13417?

The Plugin Organizer plugin for WordPress, prior to version 10.2.4, is susceptible to an SQL injection vulnerability due to inadequate parameter sanitization and escaping within its SQL statements. This oversight allows users with subscriber privileges to manipulate SQL queries, potentially leading to unauthorized access to sensitive data. It is crucial for website administrators to update to the latest version to mitigate this serious security risk and safeguard their sites against exploitation.

Affected Version(s)

Plugin Organizer 0 < 10.2.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13417 - Proof of Concept

References

https://wpscan.com/vulnerability/862fdf28-5195-443d-8ef2-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Dec 29, 2025
👾
Exploit known to exist
Dec 29, 2025
Vulnerability published
Dec 29, 2025
Vulnerability Reserved
Nov 19, 2025

Credit

Alex Tselevich (nos3curity)

WPScan

JSON