Plataforma
wordpress
Componente
wp-businessdirectory
Corrigido em
3.1.6
CVE-2025-24759 describes a Blind SQL Injection vulnerability discovered in the CMSJunkie WP-BusinessDirectory WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database, leading to unauthorized access and data breaches. The vulnerability affects versions from 0.0.0 through 3.1.4, and a patch is available in version 3.1.5.
The SQL Injection vulnerability in WP-BusinessDirectory allows an attacker to craft malicious SQL queries that are executed against the plugin's database. Because it's a 'blind' SQL injection, the attacker doesn't receive direct output from the queries, but can infer information through timing attacks or other techniques. This can be used to extract usernames, passwords, customer data, and other sensitive information stored in the database. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The lack of direct output makes detection more challenging, but the potential impact remains severe.
CVE-2025-24759 was publicly disclosed on 2025-07-16. There is no indication of this vulnerability being actively exploited at the time of writing, but the severity (CRITICAL) and the nature of blind SQL injection suggest it could be targeted. No public proof-of-concept exploits are currently available, but the vulnerability's ease of exploitation makes it a likely candidate for future exploitation attempts. It is not currently listed on the CISA KEV catalog.
Websites using the WP-BusinessDirectory plugin, particularly those running older versions (0.0.0–3.1.4), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others. Sites that haven't implemented robust input validation and output encoding practices are also at increased risk.
• wordpress / composer / npm:
grep -r "wp-businessdirectory" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep wp-businessdirectory• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-businessdirectory/readme.txt | grep Versiondisclosure
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-24759 is to immediately upgrade the WP-BusinessDirectory plugin to version 3.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for unusual characters and patterns in GET and POST requests to the plugin's functionality. Regularly review database access logs for any unusual activity. After upgrading, confirm the fix by attempting a SQL injection payload on the vulnerable endpoint and verifying that it is properly sanitized.
Update to version 3.1.5, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-24759 is a CRITICAL SQL Injection vulnerability affecting the CMSJunkie WP-BusinessDirectory WordPress plugin, allowing attackers to potentially extract sensitive data.
If you are using WP-BusinessDirectory versions 0.0.0 through 3.1.4, you are affected by this vulnerability. Upgrade to 3.1.5 or later immediately.
Upgrade the WP-BusinessDirectory plugin to version 3.1.5 or later. Consider implementing a WAF rule to block suspicious SQL injection attempts as a temporary workaround.
There is currently no evidence of active exploitation, but the severity and nature of the vulnerability suggest it could be targeted in the future.
Refer to the CMSJunkie website and WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.