Smarttech247 Offensive Security Senior Researcher, Rafal Goryl discovered an A1 class: SQL injection vulnerability. Found in the GeoDirectory Location Manager plug-in for WordPress – affecting over 10,000 businesses that have installed this plug-in globally.

A zero-day vulnerability is a software bug publicly disclosing and has not yet been patched by the vendor. Threat actors will also be actively exploiting it in the wild or have publicly available proof-of-concept exploits by threat actors.

This kind of vulnerability shows major security risk. It can leave your networks vulnerable to attacks, leading to damage to your systems, data and private information.

While conducting our research, one of the actively tested endpoints gained our attention, returning interesting results. For example, it was possible to delay application response by a specified time in the single parameter, most likely through SQL injection. Source code analysis confirmed our assumptions, and we have prepared a PoC to exploit code. 

You will find the official CVE submitted by the Smarttech247 team and the POC here: https://wpscan.com/vulnerability/5aff50fc-ac96-4076-a07c-bb145ae37025

When you hear about a new Zero Day vulnerability like this in WordPress, you need to take it very seriously and pay careful attention. Immediately check to see if there is a fix available. If not, we would urge you to disable and uninstall the plugin for the time being and wait until a patched release is available.

You should be contacting the vendor and ask them when will they be releasing a fix. Once you’ve done that, you should be keeping a close eye on vendor announcements so that as soon as they are releasing a fix for the Zero Day, you can apply it and know that your website is secure again.

If you require further information about this vulnerability, please reach out to us.