CVE-2025-24759

2025-07-16 [email protected]
WordPress PHP SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL Injection.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.4.

AnalysisAI

Blind SQL injection in CMSJunkie WP-BusinessDirectory WordPress plugin versions up to 3.1.4 allows unauthenticated remote attackers to execute arbitrary SQL queries against the plugin's database. This vulnerability, reported by Patchstack, enables attackers to extract sensitive data or manipulate database contents without direct visibility into query results, posing a significant risk to WordPress installations using affected versions.

Technical ContextAI

The vulnerability stems from improper neutralization of special characters in SQL commands (CWE-89), a classic SQL injection flaw. WordPress plugins often construct database queries dynamically using user-supplied input without adequate parameterization or escaping. WP-BusinessDirectory, a business directory plugin for WordPress, fails to sanitize user input before incorporating it into SQL queries. Blind SQL injection-where attackers cannot see query results directly-still permits attackers to infer database structure and extract data through time-based or boolean-based techniques. The plugin interacts with WordPress's database layer (typically MySQL/MariaDB), making successful exploitation a gateway to data breach or privilege escalation.

Affected ProductsAI

CMSJunkie WP-BusinessDirectory WordPress plugin (CPE: unavailable in provided data) versions from initial release through 3.1.4 inclusive are affected. The plugin is available on the official WordPress.org plugin repository. Administrators running WP-BusinessDirectory 3.1.4 or earlier should assume vulnerability; exact initial affected version is not specified but vulnerability affects the entire disclosed range.

RemediationAI

Upgrade WP-BusinessDirectory to version 3.1.5 or later immediately through the WordPress plugin dashboard (Plugins > Installed Plugins > WP-BusinessDirectory > Update) or manually via WordPress.org. Verify the patched version number post-upgrade. As an interim mitigation pending upgrade, restrict plugin functionality via WordPress security plugins (e.g., Wordfence) to limit query execution from untrusted sources, or temporarily deactivate the plugin if not critical to site operations. Refer to Patchstack's vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-3-1-3-sql-injection-vulnerability for detailed patch notes and timeline.

Share

CVE-2025-24759 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy