Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL Injection.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.4.
Published: 2025-07-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of special elements in SQL commands that gives attackers blind SQL injection via the WordPress Business Directory plugin. Because the input is not correctly sanitized, a malicious query can be injected, allowing an attacker to read sensitive data, modify or delete records, or execute other database commands, all of which constitute a severe breach of confidentiality and integrity. The vulnerability is categorized as CWE‑89. The reported CVSS score of 9.3 signals critical severity.

Affected Systems

Vulnerable to any installation of the WP‑BusinessDirectory plugin from CMSJunkie that is version 3.1.4 or older. The issue is present in all releases from the earliest listed (n/a) up to and including 3.1.4; newer releases are not affected.

Risk and Exploitability

The vulnerability’s CVSS score of 9.3 and an EPSS score of less than 1% illustrate a critically high impact but very low exploitation probability. It is not currently listed in the CISA KEV catalog, suggesting no widely known exploits have been reported. Attackers can exploit the flaw remotely by sending crafted requests to the plugin’s input fields, which lack proper sanitization, and gain access to the underlying database through blind injection techniques. The likely vector is over the web interface, requiring only that the site hosts the affected plugin version and that the input endpoints are reachable.

Generated by OpenCVE AI on May 1, 2026 at 06:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WP‑BusinessDirectory plugin version (3.1.5 or later) that eliminates the injection flaw.
  • If an immediate upgrade is not feasible, restrict access to the problematic plugin functionalities to trusted administrators only and disable or block the exposed input parameters that accept user data.
  • In all cases, enforce strict input validation and employ parameterized SQL queries to prevent any form of injection, addressing the core CWE‑89 weakness.

Generated by OpenCVE AI on May 1, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21597 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL Injection.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.4.
Title WordPress WP-BusinessDirectory <= 3.1.3 - SQL Injection Vulnerability WordPress WP-BusinessDirectory <= 3.1.5 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

Wed, 16 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3.
Title WordPress WP-BusinessDirectory <= 3.1.3 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.077Z

Reserved: 2025-01-23T14:53:08.867Z

Link: CVE-2025-24759

cve-icon Vulnrichment

Updated: 2025-07-16T13:01:42.736Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:23.377

Modified: 2026-06-17T08:59:33.687

Link: CVE-2025-24759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')