CVE-2025-9012
CMSJunkie · WP-BusinessDirectory Plugin
A blind SQL injection vulnerability in the CMSJunkie WP-BusinessDirectory plugin allows unauthenticated attackers to execute arbitrary database queries via manipulated search parameters.
Executive summary
The CMSJunkie WP-BusinessDirectory plugin contains a critical SQL injection flaw that could allow unauthorized database access and potential data exfiltration.
Vulnerability
This is a blind SQL injection vulnerability residing in the search parameter handling of the plugin. It allows an unauthenticated attacker to inject malicious SQL commands to interact with the underlying database.
Business impact
Successful exploitation of this vulnerability can result in full unauthorized access to the application database, leading to the exfiltration of sensitive user or business data. Given the CVSS score of 9.3, this flaw poses a severe risk to data integrity and confidentiality, potentially resulting in significant reputational damage and regulatory non-compliance.
Remediation
Immediate Action: Update the CMSJunkie WP-BusinessDirectory plugin to the latest available version provided by the vendor.
Proactive Monitoring: Review web access logs for anomalous search queries containing SQL syntax characters (e.g., ', --, UNION, SELECT).
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns in HTTP requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical CVSS severity, administrators should prioritize updating the vulnerable plugin immediately. Ensure that all database connections utilized by the plugin follow the principle of least privilege to limit the impact of potential future SQL injection vectors.