CVE-2025-26974: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-26974) was discovered in WPExperts.io WP Multi Store Locator plugin versions through 2.5.1. The vulnerability was reported on January 30, 2025, and publicly disclosed on February 23, 2025. This security flaw allows unauthenticated attackers to perform Blind SQL Injection attacks against affected WordPress installations (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 base score of 9.3 (Critical). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires no user interaction (UI:N), and has a changed scope (S:C). The impact includes high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (Patchstack).

The SQL Injection vulnerability could allow malicious actors to directly interact with the website's database, potentially leading to unauthorized access to sensitive information. Given the critical CVSS score of 9.3, this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Website administrators are advised to update to WP Multi Store Locator version 2.5.2 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied. Additionally, users can enable auto-update functionality for vulnerable plugins (Patchstack).