This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Blind SQL Injection in WP-BusinessDirectory. π₯ **Consequences**: Attackers can manipulate database queries, potentially leaking sensitive data or disrupting site operations.β¦
π‘οΈ **CWE-89**: SQL Injection. π **Flaw**: The plugin fails to properly sanitize or parameterize user inputs before constructing SQL commands. This allows malicious SQL code to be executed.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: WordPress sites using the **WP-BusinessDirectory** plugin. π **Versions**: Version **3.1.3** and all earlier versions. Vendor: CMSJunkie.
Q4What can hackers do? (Privileges/Data)
π **Hackers' Power**: Can perform **Blind SQL Injection**. π **Impact**: High Confidentiality impact (C:H).β¦
β‘ **Threshold**: LOW. π« **Auth**: No authentication required (PR:N). π **Access**: Network accessible (AV:N). π±οΈ **UI**: No user interaction needed (UI:N). It is easily exploitable remotely.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π¦ **Public Exp?**: No specific PoC code provided in the data. π° **References**: Patchstack database entries confirm the vulnerability exists. Wild exploitation is likely given the low complexity.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for WP-BusinessDirectory plugin version. π **Indicator**: Look for version **3.1.3 or lower**. π§ͺ **Test**: Use SQL injection scanners (like SQLmap) against directory endpoints if authorized.β¦
π§ **Fix**: Update the plugin immediately. π **Status**: Vulnerability disclosed on 2025-07-16. π **Action**: Upgrade to the latest version released by CMSJunkie to patch the SQL handling flaw.
Q9What if no patch? (Workaround)
π§ **No Patch?**: If updating isn't possible, restrict access to directory pages via IP whitelisting. π‘οΈ **WAF**: Deploy Web Application Firewall rules to block SQL injection patterns.β¦
π₯ **Urgency**: HIGH. π **CVSS**: 7.5 (High). π¨ **Priority**: Patch immediately. With no auth required and high data impact, this is a critical risk for any business directory site.