CVE-2025-39445
📋 TL;DR
This SQL injection vulnerability in the Super Store Finder WordPress plugin allows attackers to execute arbitrary SQL commands on the database. All WordPress sites running Super Store Finder version 7.2 or earlier are affected, potentially compromising the entire database.
💻 Affected Systems
- Super Store Finder WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion; potential privilege escalation to WordPress administrator; possible server takeover if database permissions allow file system access.
Likely Case
Data exfiltration from WordPress database including user credentials, sensitive content, and configuration data; potential site defacement or content manipulation.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented; database permissions restrict damage to non-critical tables.
🎯 Exploit Status
SQL injection vulnerabilities in WordPress plugins are frequently weaponized; public exploit details available through security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.3 or later
Vendor Advisory: https://patchstack.com/database/wordpress/plugin/superstorefinder-wp/vulnerability/wordpress-super-store-finder-7-2-sql-injection-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Super Store Finder and click 'Update Now'. 4. Verify update to version 7.3 or later. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Super Store Finder plugin until patched
wp plugin deactivate superstorefinder-wp
Web Application Firewall (WAF) rules
allImplement WAF rules to block SQL injection patterns targeting this plugin
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs
- Apply principle of least privilege to database user accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Super Store Finder version 7.2 or earlierCheck Version:
wp plugin get superstorefinder-wp --field=versionVerify Fix Applied:
Verify plugin version is 7.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Unexpected plugin file modifications
Network Indicators:
- HTTP requests with SQL syntax in parameters
- Unusual outbound database connections
SIEM Query:
source="web_server" AND (url="*superstorefinder*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR 1=1*"))