SQL Injection Vulnerability in NotFound WP Multistore Locator Plugin by WordPress
CVE-2025-28898

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: WP Multistore Locator
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-28898?

The NotFound WP Multistore Locator plugin has a vulnerability due to improper neutralization of special elements in SQL commands. This flaw allows attackers to execute arbitrary SQL queries against the database of affected WordPress installations, potentially compromising sensitive information or altering data. Users of WP Multistore Locator versions prior to 2.5.2 are recommended to assess their risk and apply necessary updates to mitigate this vulnerability.

Affected Version(s)

WP Multistore Locator <= 2.5.2

References

https://patchstack.com/database/wordpress/plugin/wp-multi...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Mar 11, 2025

Credit

Trương Hữu Phúc (truonghuuphuc) (Patchstack Alliance)