CVE-2025-26974
Published: 25 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26974 is an SQL injection vulnerability, classified as improper neutralization of special elements used in an SQL command (CWE-89), that enables blind SQL injection in the WP Multistore Locator plugin (wp-multi-store-locator) developed by WPExperts.io for WordPress. This issue affects all versions of the plugin from unspecified initial releases through 2.5.1.
The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. Exploitation changes the scope, allowing attackers to achieve high confidentiality impact by extracting sensitive data from the database via blind SQL injection techniques, alongside low integrity and availability impacts.
Patchstack has published an advisory on this vulnerability, detailing the SQL injection flaw in WP Multistore Locator version 2.5.1, accessible at https://patchstack.com/database/Wordpress/Plugin/wp-multi-store-locator/vulnerability/wordpress-wp-multi-store-locator-plugin-2-5-1-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables T1190 for unauthenticated remote exploitation to extract database data.