A high-severity vulnerability has been discovered in the GeoDirectory and Classified Listings Directory plugins for WordPress. This flaw allows an unauthenticated attacker to steal sensitive information from the website's database by exploiting a time-based SQL Injection. Successful exploitation could lead to the complete compromise of database contents, including user data, customer information, and other confidential content.

The vulnerability is a time-based SQL Injection in the dist parameter of the affected plugins. An attacker can send a specially crafted web request containing malicious SQL commands within this parameter. Because the user-supplied input is not properly sanitized before being included in a database query, the attacker can inject commands that instruct the database to pause for a specific amount of time (e.g., SLEEP(5)). By measuring the server's response time, the attacker can infer the contents of the database one character at a time, allowing for the stealthy exfiltration of sensitive data without triggering direct error messages.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to a significant data breach, resulting in the unauthorized disclosure of all information stored in the website's database. This may include personally identifiable information (PII) of users, customer lists, hashed passwords, financial records, and proprietary business data. The consequences for the organization include severe reputational damage, loss of customer trust, potential regulatory fines under data protection laws like GDPR or CCPA, and the risk of further system compromise if stolen credentials are used to access other corporate resources.

Immediate Action: Update the affected "GeoDirectory – WP Business Directory Plugin" and "Classified Listings Directory plugin" to the latest available version provided by the vendor, which contains a patch for this vulnerability. After updating, review the security settings for the plugins to ensure they are configured correctly. If a plugin is no longer required for business operations, it should be deactivated and completely removed to reduce the overall attack surface.

Proactive Monitoring: Monitor web application firewall (WAF) and web server access logs for unusual or repeated requests targeting the vulnerable dist parameter, especially those with abnormally long or complex string values. Database logs should be monitored for suspicious queries containing SLEEP(), BENCHMARK(), or WAITFOR commands, which are indicative of time-based SQL injection attempts. Anomaly detection on server response times can also help identify potential exploitation.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust ruleset to detect and block SQL injection attacks. Ensure the WAF is in blocking mode and its signatures are up-to-date. Additionally, ensure the database user account associated with the WordPress application operates under the principle of least privilege, restricting its access to only the data necessary for the application to function.

Public Exploit Available: false

Given the High severity (CVSS 7.5) and the direct risk of a data breach, it is strongly recommended that organizations immediately identify all WordPress instances running the vulnerable plugins and apply the vendor-supplied patches without delay. Although there is no evidence of active exploitation, the simplicity of exploiting such a flaw makes it a prime target. Proactive patching is the most effective defense to prevent potential database compromise, reputational damage, and financial loss.