CVE-2025-26974 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection (SQLi) in WP Multi Store Locator. <br>💥 **Consequences**: Attackers can manipulate database queries. This leads to **data theft**, **data manipulation**, or **server compromise**.…

🛡️ **Root Cause**: **CWE-89** (SQL Injection). <br>🔍 **Flaw**: Improper neutralization of special elements used in an SQL command. The plugin fails to sanitize user input before using it in SQL queries.

📦 **Affected Product**: WordPress Plugin **WP Multi Store Locator**. <br>📅 **Versions**: Version **2.5.1** and earlier. <br>🏢 **Vendor**: WPExperts.io.

🕵️ **Attacker Actions**: <br>1. Extract sensitive database data (users, configs). <br>2. Modify or delete records. <br>3. Potentially execute administrative commands via SQL.…

🔓 **Exploitation Threshold**: **LOW**. <br>📊 **CVSS**: AV:N (Network), AC:L (Low Complexity), PR:N (No Privileges Required), UI:N (No User Interaction). <br>⚡ **Verdict**: Easy to exploit remotely without login.

💣 **Public Exploit**: **No**. <br>📝 **Status**: The `pocs` field is empty. No public Proof-of-Concept (PoC) or wild exploitation code is currently available in the provided data.

🔍 **Self-Check**: <br>1. Scan for **WP Multi Store Locator** plugin. <br>2. Check version number (≤ 2.5.1). <br>3. Use SQLi scanners on store locator endpoints. <br>4. Look for error-based SQL injection responses.

🩹 **Official Fix**: **Yes**. <br>📢 **Action**: Update the plugin to the latest version. <br>🔗 **Reference**: Patchstack database entry confirms the vulnerability and implies a patch exists for newer versions.

🚧 **No Patch Workaround**: <br>1. **Deactivate/Remove** the plugin immediately. <br>2. Use WAF (Web Application Firewall) rules to block SQLi patterns. <br>3. Restrict access to plugin endpoints via `.htaccess`.

⚠️ **Urgency**: **HIGH**. <br>🔥 **Priority**: Critical. <br>📉 **Reason**: No auth required, network-accessible, and high confidentiality impact. Patch immediately to prevent data breaches.