Attack Vectors

CVE-2025-24759 is a High severity vulnerability (CVSS 7.5; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) affecting WP-BusinessDirectory – Business directory plugin for WordPress (slug: wp-businessdirectory) up to and including version 3.1.4.

The issue is an unauthenticated SQL Injection, meaning an external attacker can potentially target a vulnerable site over the internet without needing to log in or trick a user into clicking anything. This significantly increases exposure for websites that use WP-BusinessDirectory publicly (which is common for directory-style pages).

Reference: CVE-2025-24759 and the source advisory from Wordfence Threat Intelligence.

Security Weakness

WP-BusinessDirectory versions ≤ 3.1.4 are vulnerable due to insufficient escaping of a user-supplied parameter and a lack of sufficient preparation of an existing database query. In practical terms, the plugin may allow attacker-controlled input to be interpreted as part of a database query.

This weakness can allow an unauthenticated attacker to append additional SQL to an existing query and use that to extract sensitive information from the WordPress database.

Remediation: Update WP-BusinessDirectory to version 3.1.5 or a newer patched version.

Technical or Business Impacts

The CVSS vector indicates a high confidentiality impact (C:H). For business owners and compliance teams, this translates to a meaningful risk of data exposure—potentially including information stored in the WordPress database such as user records, email addresses, hashed passwords, site configuration data, and other plugin-managed data (depending on what your site stores).

Business outcomes can include brand damage, loss of customer trust, incident response costs, and potential regulatory or contractual implications if personal data is exposed. Even if the vulnerability does not primarily target availability, the downstream effects of a breach (site takedowns during response, emergency vendor support, and marketing disruption) can be significant.

Recommended next steps for leadership: confirm whether WP-BusinessDirectory is installed anywhere in your web portfolio, prioritize the 3.1.5+ update in your change calendar, and validate your ability to restore quickly (tested backups) in case investigation reveals suspicious access patterns.

Similar Attacks

Unauthenticated SQL injection issues in WordPress plugins have been repeatedly leveraged to extract database information from public-facing sites. One example: CVE-2021-24333 (WP Statistics – SQL Injection), which illustrates how internet-accessible plugin endpoints can become high-value targets when input handling is insufficient.