Add CVE-2025-13652 - CBX Bookmark & Favorite Plugin SQL Injection

[neosmith1]

CVE-2025-13652: CBX Bookmark & Favorite Plugin SQL Injection

Adds detection template for SQL Injection vulnerability in CBX Bookmark & Favorite WordPress plugin before version 2.1.8.

Vulnerability Details

• CVE: CVE-2025-13652
• Product: CBX Bookmark & Favorite WordPress Plugin
• Affected Versions: < 2.1.8
• Vulnerability Type: SQL Injection (CWE-89)
• CVSS Score: 9.8 Critical

Detection Method

• Tests the orderby parameter in the cbxbkm_get_bookmarks AJAX action
• Uses time-based blind SQL injection (SLEEP)
• Detection requires 5+ second response delay

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-13652
• https://plugins.trac.wordpress.org/changeset/3413499/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/a8839665-8f98-4c81-b234-9201236e0194

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

High: 1

Current PR state: 1 high active finding.

Highlights

• High: CVSS Score Mismatch - Template Claims 9.8 Critical but Authenticated Vulnerability Should be 6.5 Medium in http/cves/2025/CVE-2025-13652.yaml:25

High (1)

• CVSS Score Mismatch - Template Claims 9.8 Critical but Authenticated Vulnerability Should be 6.5 Medium — http/cves/2025/CVE-2025-13652.yaml:25
  The template metadata contains contradictory severity information. Line 8 correctly states 'Exploitation requires at least subscriber-level WordPress authentication' and line 25 includes the authenticated tag, but the CVSS vector on line 16 has PR:N (Privileges Required: None) with a score of 9.8 Critical. According to NVD and Wordfence (the CVE Numbering Authority), the correct CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N with a score of 6.5 MEDIUM, not 9.8 Critical.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

Verify each finding against the current code and only fix it if needed.

In @http/cves/2025/CVE-2025-13652.yaml lines 16-17 and line 6, update the CVSS
vector from PR:N to PR:L, change cvss-score from 9.8 to 6.5, and change severity
from critical to medium to match the authenticated nature of the vulnerability
as confirmed by NVD (CVE-2025-13652) and Wordfence.

Hardening Notes

• The change aligns CVSS impact scores with the actual vulnerability behavior - SLEEP-based SQL injection provides confidentiality impact only
• Previous review findings at b2dc216 are now fully resolved with this CVSS correction

_{Comment @pdneo help for available commands. · Open in Neo}

[neo-by-projectdiscovery-dev]

🟠 CVSS Score Mismatch - Template Claims 9.8 Critical but Authenticated Vulnerability Should be 6.5 Medium (CWE-1395) — The template metadata contains contradictory severity information. Line 8 correctly states 'Exploitation requires at least subscriber-level WordPress authentication' and line 25 includes the authenticated tag, but the CVSS vector on line 16 has PR:N (Privileges Required: None) with a score of 9.8 Critical. According to NVD and Wordfence (the CVE Numbering Authority), the correct CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N with a score of 6.5 MEDIUM, not 9.8 Critical.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@http/cves/2025/CVE-2025-13652.yaml` lines 16-17 and line 6, update the CVSS
vector from PR:N to PR:L, change cvss-score from 9.8 to 6.5, and change severity
from critical to medium to match the authenticated nature of the vulnerability
as confirmed by NVD (CVE-2025-13652) and Wordfence.

[Akokonunes]

Hi @neosmith1

Thank you for contributing this template to the community! This appears to be AI-generated based on the template structure and testing claims. We tried to reproduce the PoC on a vulnerable target but were unable to confirm the behavior. If you believe the template is correct, please send details or a vulnerable lab environment to templates@projectdiscovery.io.