Attack Vectors

CVE-2025-24759 is a High-severity vulnerability (CVSS 7.5) affecting WP-BusinessDirectory – Business directory plugin for WordPress (slug: wp-businessdirectory) in versions up to and including 3.1.3. The issue is an unauthenticated SQL Injection, meaning an attacker can target the site remotely over the internet without needing a valid user account.

Because exploitation does not require user interaction (no clicks required) and can be performed with low complexity, this is particularly relevant for public-facing WordPress sites where the directory functionality is exposed to anonymous visitors.

Security Weakness

The weakness is caused by insufficient escaping of a user-supplied parameter and a lack of sufficient preparation in an existing SQL query. In practical terms, this can allow an attacker to append or manipulate database queries through inputs the plugin accepts, resulting in unintended database behavior.

In the context of business risk, this is a classic “trusting user input too much” problem: the application accepts data from an unauthenticated request and passes it into database queries without adequate safeguards.

Technical or Business Impacts

According to the published advisory, successful exploitation can allow attackers to extract sensitive information from the WordPress database. Depending on what is stored in your database, this may include personal data, business contact details, internal operational information, or other confidential records used by your site and plugins.

From a leadership, compliance, and brand perspective, the most material risks typically include data exposure, potential privacy and regulatory notifications if personal data is involved, and reputational damage that can impact customer trust and revenue. Even if your WordPress site is “just marketing,” it often contains valuable contact lists, submissions, directory records, or other business data that attackers can monetize.

Remediation: Update WP-BusinessDirectory to version 3.1.5 or a newer patched version. Reference: Wordfence vulnerability entry. The associated CVE record is CVE-2025-24759.

Similar Attacks

SQL injection is a well-known technique used to access or leak database contents. While the affected product here is WP-BusinessDirectory, similar SQL injection patterns have led to real-world breaches across many industries:

TalkTalk (2015) – customer data exposed following an SQL injection-related breach
Heartland Payment Systems (2008) – major data breach involving SQL injection techniques