Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.
Published: 2025-12-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Store Locator WordPress plugin from Agile Logix contains an improper neutralization of special elements in an SQL command. This flaw, identified as CWE-89, allows an attacker to insert malicious SQL statements that are executed by the database. The affected logic enables blind SQL injection, meaning an attacker can infer data or manipulate records without receiving explicit error messages. This could compromise database confidentiality and integrity, potentially exposing sensitive user data or altering application configuration.

Affected Systems

Agile Logix’s Store Locator WordPress plugin, version 1.6.2 and earlier. The problematic code exists in all releases from the earliest available version up to and including 1.6.2.

Risk and Exploitability

The severity of the flaw is high, with a CVSS score of 8.5. The EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be via unauthenticated or minimally authenticated HTTP requests to the plugin’s exposed endpoints, allowing an attacker to submit crafted payloads that are incorporated directly into SQL queries.

Generated by OpenCVE AI on April 29, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Agile Logix Store Locator WordPress plugin to the latest available version (1.6.3 or later) to remove the vulnerable code.
  • If an upgrade cannot be performed immediately, restrict access to the plugin’s endpoints by blocking traffic from untrusted sources and enforce authentication checks to limit who can submit input to the plugin.
  • Implement additional input validation or switch to parameterized queries within the plugin’s code to mitigate future injection risks, following best practices for handling SQL inputs per CWE-89.

Generated by OpenCVE AI on April 29, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Agile Logix
Agile Logix store Locator Wordpress
Wordpress
Wordpress wordpress Mu
Vendors & Products Agile Logix
Agile Logix store Locator Wordpress
Wordpress
Wordpress wordpress Mu

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.
Title WordPress Store Locator WordPress plugin <= 1.6.2 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Agile Logix Store Locator Wordpress
Wordpress Wordpress Mu
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.635Z

Reserved: 2025-12-09T12:20:54.762Z

Link: CVE-2025-67516

cve-icon Vulnrichment

Updated: 2025-12-11T19:01:15.265Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:24.550

Modified: 2026-04-27T18:16:40.060

Link: CVE-2025-67516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:00:14Z

Weaknesses