Platform
wordpress
Component
wp-businessdirectory
Fixed in
3.1.6
CVE-2025-24759 describes a Blind SQL Injection vulnerability discovered in the CMSJunkie WP-BusinessDirectory WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database, leading to unauthorized access and data breaches. The vulnerability affects versions from 0.0.0 through 3.1.4, and a patch is available in version 3.1.5.
The SQL Injection vulnerability in WP-BusinessDirectory allows an attacker to craft malicious SQL queries that are executed against the plugin's database. Because it's a 'blind' SQL injection, the attacker doesn't receive direct output from the queries, but can infer information through timing attacks or other techniques. This can be used to extract usernames, passwords, customer data, and other sensitive information stored in the database. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The lack of direct output makes detection more challenging, but the potential impact remains severe.
CVE-2025-24759 was publicly disclosed on 2025-07-16. There is no indication of this vulnerability being actively exploited at the time of writing, but the severity (CRITICAL) and the nature of blind SQL injection suggest it could be targeted. No public proof-of-concept exploits are currently available, but the vulnerability's ease of exploitation makes it a likely candidate for future exploitation attempts. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24759 is to immediately upgrade the WP-BusinessDirectory plugin to version 3.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for unusual characters and patterns in GET and POST requests to the plugin's functionality. Regularly review database access logs for any unusual activity. After upgrading, confirm the fix by attempting a SQL injection payload on the vulnerable endpoint and verifying that it is properly sanitized.
Update to version 3.1.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24759 is a CRITICAL SQL Injection vulnerability affecting the CMSJunkie WP-BusinessDirectory WordPress plugin, allowing attackers to potentially extract sensitive data.
If you are using WP-BusinessDirectory versions 0.0.0 through 3.1.4, you are affected by this vulnerability. Upgrade to 3.1.5 or later immediately.
Upgrade the WP-BusinessDirectory plugin to version 3.1.5 or later. Consider implementing a WAF rule to block suspicious SQL injection attempts as a temporary workaround.
There is currently no evidence of active exploitation, but the severity and nature of the vulnerability suggest it could be targeted in the future.
Refer to the CMSJunkie website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.