CVE-2018-25434: WP AutoSuggest 0.24 SQL Injection via autosuggest.php
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
Security readout for executives and security teams
Plain-English summary
CVE-2018-25434 affects WP AutoSuggest 0.24, a WordPress plugin. An unauthenticated attacker may be able to read sensitive database data through SQL injection. For executives, the main concern is potential exposure of WordPress content and related database records from any public site still running this plugin version.
Executive priority
Treat as high priority for any public WordPress site using WP AutoSuggest 0.24. The issue is unauthenticated and may expose sensitive database content, but the provided sources do not confirm active exploitation.
Technical view
Sources describe CWE-89 SQL injection in WP AutoSuggest 0.24 through the wpas_keys parameter handled by autosuggest.php. The CVSS 4.0 score is 8.8, with network access, low complexity, no privileges, and no user interaction. Confidentiality impact is high; integrity impact is limited; availability impact is not indicated.
Likely exposure
Exposure is likely limited to WordPress sites with WP AutoSuggest version 0.24 installed and reachable from the internet. The source bundle does not identify other affected versions or products.
Exploitation context
A public ExploitDB reference exists, but the bundle does not cite active exploitation. KEV status is false, so do not treat this as confirmed exploited in the wild from the provided evidence.
Researcher notes
The evidence supports an unauthenticated SQL injection in a specific plugin version, with public exploit reference metadata. Patch status is not provided in the bundle; avoid asserting fixed versions or broader product impact without vendor confirmation.
Mitigation direction
Inventory WordPress sites for WP AutoSuggest and confirm installed versions.
Disable or remove WP AutoSuggest 0.24 until vendor guidance identifies a safe version.
Check the WordPress plugin page and vendor sources for official remediation guidance.
Review database and WordPress administrative activity for unexpected changes or data access.
Prioritize internet-facing WordPress sites before internal or retired instances.
Validation and detection
Confirm whether WP AutoSuggest 0.24 is installed on each WordPress instance.
Check web logs for unusual requests to autosuggest.php involving wpas_keys.
Review WordPress plugin inventory against the affected version stated in the CVE bundle.
Validate that disabled or removed plugin files are no longer web-accessible.
Document any evidence of database exposure for incident response review.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-89 · source CWE mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.