CVE-2026-57707

quantumcloud · Simple Business Directory Pro

The Simple Business Directory Pro plugin for WordPress is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary database commands.

Executive summary

A critical SQL injection vulnerability in the Simple Business Directory Pro plugin enables unauthenticated attackers to perform unauthorized database operations.

Vulnerability

The plugin suffers from a classic SQL Injection vulnerability (CWE-89) where user-supplied input is not properly sanitized before being used in database queries. The vulnerability is fully automatable by unauthenticated remote attackers.

Business impact

The ability to perform SQL injection allows an attacker to bypass authentication, extract sensitive business directory data, or potentially modify directory records. With a CVSS score of 9.3, this vulnerability poses a severe risk to the integrity and confidentiality of the data managed by the plugin, potentially resulting in significant data breaches.

Remediation

Immediate Action: Update the Simple Business Directory Pro plugin to the latest version beyond 15.9.4 as soon as the vendor provides a patch.

Proactive Monitoring: Monitor site traffic for suspicious input patterns in URL parameters or form submissions that match common SQL injection syntax.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter malicious requests containing SQL syntax, providing virtual patching until the software can be updated.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Security teams should treat this vulnerability with high urgency. Given the ease of exploitation, immediate patching is required to protect the integrity of the database. Conduct a thorough audit of the affected environment if the plugin remains in use while waiting for a vendor-supplied update.