Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free web-directory-free allows Blind SQL Injection.This issue affects Web Directory Free: from n/a through <= 1.7.6.
Published: 2025-03-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the Shamalli Web Directory Free WordPress plugin, allowing an attacker to craft malicious input that is directly incorporated into a database query without proper sanitization. As a result, an attacker can extract sensitive data, modify database contents, or ultimately execute arbitrary SQL commands that could lead to full database compromise or server compromise if further exploits are chained. This flaw is identified as CWE-89.

Affected Systems

WordPress sites running the Shamalli Web Directory Free plugin, versions 1.7.6 and below, are affected. The vulnerability persists across all minor releases up to 1.7.6; any site that has not upgraded to 1.7.7 or later is at risk.

Risk and Exploitability

The CVSS score of 9.3 places this issue in the critical severity range. However, the EPSS score is reported as less than 1%, indicating a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Attackers would most likely exploit the flaw through a crafted HTTP request to the plugin’s exposed endpoint, potentially without authentication, though the exact conditions are not detailed in the advisory.

Generated by OpenCVE AI on May 1, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Web Directory Free plugin (≥ 1.7.7).
  • If the plugin cannot be upgraded immediately, uninstall or deactivate it to eliminate the attack surface.
  • Deploy a Web Application Firewall rule or input validation pattern that blocks suspicious SQL syntax in incoming requests to the plugin.

Generated by OpenCVE AI on May 1, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8095 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free allows Blind SQL Injection. This issue affects Web Directory Free: from n/a through 1.7.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free allows Blind SQL Injection. This issue affects Web Directory Free: from n/a through 1.7.6. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free web-directory-free allows Blind SQL Injection.This issue affects Web Directory Free: from n/a through <= 1.7.6.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 25 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Mar 2025 19:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free allows Blind SQL Injection. This issue affects Web Directory Free: from n/a through 1.7.6.
Title WordPress Web Directory Free plugin <= 1.7.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.328Z

Reserved: 2025-03-11T08:09:18.300Z

Link: CVE-2025-28904

cve-icon Vulnrichment

Updated: 2025-03-25T18:59:01.462Z

cve-icon NVD

Status : Deferred

Published: 2025-03-25T19:15:45.827

Modified: 2026-04-23T15:26:34.383

Link: CVE-2025-28904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses