CVE-2018-25434
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
WP AutoSuggest 0.24 is vulnerable to SQL injection via the wpas_keys parameter, allowing unauthenticated attackers to extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP AutoSuggest 0.24 is vulnerable to SQL injection via the `wpas_keys` parameter, allowing unauthenticated attackers to extract sensitive database information.
Vulnerability
WP AutoSuggest version 0.24 contains an SQL injection vulnerability in autosuggest.php. This vulnerability is triggered when the wpas_keys parameter is not properly sanitized, allowing attackers to inject malicious SQL code. The affected plugin is no longer available for download due to a security issue [4].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to autosuggest.php with malicious input in the wpas_keys parameter. The plugin processes this parameter by replacing spaces with % and then directly embedding it into an SQL query to search post titles. Tools like sqlmap can be used to automate the exploitation process [3].
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries. This can lead to the extraction of sensitive database information, including data from WordPress posts and other tables. The attacker gains read access to the database content.
Mitigation
WP AutoSuggest version 0.24 is affected by this vulnerability. The plugin has been closed and is not available for download as of January 7, 2019, due to a security issue [4]. No patched version is available, and users should uninstall the plugin if it is still in use. No other mitigation or workaround information is available in the provided references.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <0.24
Patches
0wp-autosuggestThis plugin has been removed from the WordPress.org directory on 2019-01-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4News mentions
0No linked articles in our index yet.