CVE-2025-67516

Vulnerability

Overview

The Agile Logix Store Locator WordPress plugin (versions up to version 1.6.2 contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw allows an attacker to inject arbitrary SQL queries through the plugin's input handling, leading to unauthorized database interaction [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable plugin endpoint. No special privileges or user interaction are required. The blind nature of the injection means the attacker may need to infer database contents through boolean-based or time-based techniques, but the attack surface is accessible to anyone with network access to the WordPress site [1].

Impact

Successful exploitation enables an attacker to directly interact with the WordPress database, potentially extracting sensitive information such as user credentials, personal data, or site configuration. The CVSS v3 base score of 8.5 reflects the high severity, as the vulnerability can be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Mitigation

The vendor has released version 1.6.3 which fixes the SQL injection. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].