Description
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
Published: 2026-06-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP AutoSuggest 0.24 contains an unauthenticated SQL injection flaw that is triggered via the wpas_keys GET parameter in the autosuggest.php endpoint. By supplying crafted input, an attacker can execute arbitrary SQL against the WordPress database, enabling the extraction of posts, comments, users, or other sensitive data stored in WordPress tables. The weakness is classified as CWE‑89 and has a CVSS score of 8.8, indicating a high severity issue.

Affected Systems

The vulnerability affects the WP AutoSuggest plugin version 0.24, developed by eliekhoury, when installed on WordPress sites. Sites that have not applied the latest patch or an update are potentially impacted, as the plugin’s default configuration allows direct access to the autosuggest.php endpoint.

Risk and Exploitability

The flaw carries a high CVSS rating, but no EPSS score is available and it is not listed in the CISA KEV catalog, suggesting limited widespread exploitation at present. Because the vulnerability is reached over HTTP/HTTPS and does not require authentication, it represents a network‑based attack vector that any external actor can use. The combination of high severity, unauthenticated access, and ease of exploitation makes the risk significant for affected WordPress installations.

Generated by OpenCVE AI on June 1, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP AutoSuggest plugin to a version that removes the vulnerable wpas_keys handling or applies the official security fix.
  • If an immediate update is not possible, configure the web server or WordPress to block or reject requests to autosuggest.php or to any requests containing the wpas_keys parameter, thus closing the injection path.
  • Apply input validation or use parameterized queries for the wpas_keys value to eliminate unsanitized user input from reaching the database, addressing the underlying CWE‑89 weakness.

Generated by OpenCVE AI on June 1, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
Title WP AutoSuggest 0.24 SQL Injection via autosuggest.php
First Time appeared What3words
What3words autosuggest
Weaknesses CWE-89
CPEs cpe:2.3:a:what3words:autosuggest:0.24:*:*:*:*:*:*:*
Vendors & Products What3words
What3words autosuggest
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

What3words Autosuggest
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T15:49:20.062Z

Reserved: 2026-06-01T11:54:21.342Z

Link: CVE-2018-25434

cve-icon Vulnrichment

Updated: 2026-06-02T15:49:15.436Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:16.860

Modified: 2026-06-02T14:43:49.920

Link: CVE-2018-25434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:00:16Z

Weaknesses