Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.5.1.
Published: 2025-06-06
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in the SQL command creates an injection point that lets an attacker insert arbitrary SQL code when interacting with the Agile Logix Store Locator WordPress plugin. The flaw can allow unauthorized disclosure, modification, or deletion of database records and may lead to further privilege escalation if the database user has elevated rights. The weakness is classified as CWE‑89.

Affected Systems

Any WordPress installation that has the Agile Logix Store Locator WordPress plugin version 1.5.1 or earlier is affected. The CVE does not confirm that newer releases (e.g., 1.5.2) include a fix, so administrators should verify whether an updated version addresses the issue.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, and the EPSS score of less than 1% suggests that exploit attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog, so it has not yet been documented as a known exploited incident. Attackers would typically trigger the flaw via crafted HTTP requests to the plugin’s data handling endpoints; it appears that authentication is not required, but this is inferred from the description, indicating a public attack surface.

Generated by OpenCVE AI on April 30, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Store Locator WordPress plugin to the latest available version (if a newer version than 1.5.1 exists) to eliminate the injection vector.
  • If an upgrade is not feasible, disable or delete the plugin’s exposed endpoints or replace the plugin with an alternative that has proper input validation.
  • Apply a least‑privilege policy to the database user used by WordPress so that the plugin can only perform necessary SELECT operations, limiting the potential impact of any successful injection.

Generated by OpenCVE AI on April 30, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17244 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress allows SQL Injection. This issue affects Store Locator WordPress: from n/a through 1.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress allows SQL Injection. This issue affects Store Locator WordPress: from n/a through 1.5.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.5.1.
Title WordPress Store Locator WordPress <= 1.5.1 - SQL Injection Vulnerability WordPress Store Locator WordPress plugin <= 1.5.1 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress allows SQL Injection. This issue affects Store Locator WordPress: from n/a through 1.5.1.
Title WordPress Store Locator WordPress <= 1.5.1 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:01.073Z

Reserved: 2025-06-04T09:42:17.747Z

Link: CVE-2025-49328

cve-icon Vulnrichment

Updated: 2025-06-06T15:38:27.405Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:50.400

Modified: 2026-04-23T15:31:28.537

Link: CVE-2025-49328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:45:21Z

Weaknesses