CVE-2025-9012

CMSJunkie · WP-BusinessDirectory Plugin

A blind SQL injection vulnerability in the CMSJunkie WP-BusinessDirectory plugin allows unauthenticated attackers to execute arbitrary database queries via manipulated search parameters.

Executive summary

The CMSJunkie WP-BusinessDirectory plugin contains a critical SQL injection flaw that could allow unauthorized database access and potential data exfiltration.

Vulnerability

This is a blind SQL injection vulnerability residing in the search parameter handling of the plugin. It allows an unauthenticated attacker to inject malicious SQL commands to interact with the underlying database.

Business impact

Successful exploitation of this vulnerability can result in full unauthorized access to the application database, leading to the exfiltration of sensitive user or business data. Given the CVSS score of 9.3, this flaw poses a severe risk to data integrity and confidentiality, potentially resulting in significant reputational damage and regulatory non-compliance.

Remediation

Immediate Action: Update the CMSJunkie WP-BusinessDirectory plugin to the latest available version provided by the vendor.

Proactive Monitoring: Review web access logs for anomalous search queries containing SQL syntax characters (e.g., ', --, UNION, SELECT).

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns in HTTP requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical CVSS severity, administrators should prioritize updating the vulnerable plugin immediately. Ensure that all database connections utilized by the plugin follow the principle of least privilege to limit the impact of potential future SQL injection vectors.