CVE-2025-28904 Overview
CVE-2025-28904 is a blind SQL injection vulnerability in the Shamalli Web Directory Free WordPress plugin. The flaw affects all versions of web-directory-free up to and including 1.7.6. The plugin fails to properly neutralize special elements in SQL commands, allowing unauthenticated attackers to inject arbitrary SQL through crafted requests. The vulnerability is classified under CWE-89 and carries a CVSS 3.1 score of 9.3. Because exploitation requires no authentication or user interaction, any WordPress site running a vulnerable version is directly exposed to remote attack over the network.
Critical Impact
Unauthenticated attackers can execute blind SQL injection against WordPress sites running Web Directory Free <= 1.7.6, enabling extraction of database contents and potential further compromise.
Affected Products
- Shamalli Web Directory Free (web-directory-free) WordPress plugin
- All versions from initial release through 1.7.6
- WordPress installations with the vulnerable plugin activated
Discovery Timeline
- 2025-03-25 - CVE-2025-28904 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-28904
Vulnerability Analysis
The vulnerability stems from improper neutralization of special elements used in SQL commands within the Web Directory Free plugin. User-controlled input reaches database query construction without parameterization or proper sanitization. Attackers send crafted HTTP requests containing SQL syntax that the plugin concatenates directly into queries executed against the WordPress database.
The blind nature of the injection means results are not returned directly in HTTP responses. Attackers infer data through boolean conditions or time-based payloads, observing differences in response behavior. Despite the blind classification, full database extraction is achievable through automated tooling.
The scope-changed CVSS vector indicates impact extends beyond the vulnerable component to the underlying WordPress database and potentially to other plugins sharing the same data store. Confidentiality impact is high, while integrity remains intact and availability suffers low impact.
Root Cause
The root cause is the construction of SQL statements through string concatenation with unsanitized user input. The plugin does not use wpdb::prepare() with placeholders, nor does it apply esc_sql() or type casting to incoming parameters. This pattern allows special SQL characters such as single quotes and comment markers to alter query structure.
Attack Vector
An unauthenticated remote attacker sends HTTP requests to a vulnerable endpoint exposed by the plugin. The request includes parameters containing SQL payloads designed to test boolean conditions or trigger time delays. By iterating payloads and observing response characteristics, the attacker extracts database content including WordPress user credentials, session tokens, and arbitrary table data.
The vulnerability mechanism is described in the Patchstack SQL Injection Advisory. No verified public proof-of-concept code is available at this time, and the EPSS score remains low at 0.076%.
Detection Methods for CVE-2025-28904
Indicators of Compromise
- HTTP requests to Web Directory Free plugin endpoints containing SQL metacharacters such as ', --, UNION SELECT, SLEEP(, or BENCHMARK(
- Unusual response time variance on plugin URLs, indicating time-based blind injection probing
- Repeated requests from a single source to the same plugin endpoint with incrementally changing parameter values
- Web server logs showing web-directory-free query strings with encoded SQL payloads
Detection Strategies
- Deploy web application firewall rules that flag SQL injection signatures targeting WordPress plugin paths
- Monitor WordPress database query logs for malformed or unusual SELECT statements originating from plugin code paths
- Correlate HTTP 200 responses with anomalous response time distributions on plugin endpoints
- Enable WordPress debug logging to capture errors generated by malformed SQL during exploitation attempts
Monitoring Recommendations
- Track outbound database query volume from the WordPress host for sudden spikes consistent with automated extraction
- Alert on access to wp_users and wp_usermeta tables outside normal authentication flows
- Aggregate plugin endpoint access logs and apply anomaly detection to request rate and parameter entropy
How to Mitigate CVE-2025-28904
Immediate Actions Required
- Deactivate and remove the Web Directory Free plugin if a patched version is not available for your installation
- Restrict access to plugin endpoints at the web server or WAF layer until remediation is verified
- Rotate WordPress administrator credentials and any secrets stored in the database after confirming exposure
- Review WordPress access logs for evidence of prior exploitation against plugin URLs
Patch Information
At the time of NVD publication, the advisory indicates the vulnerability affects all versions through 1.7.6. Site operators should consult the Patchstack SQL Injection Advisory for the latest fixed version information and apply updates as soon as the vendor releases a patched build.
Workarounds
- Block requests to vulnerable plugin endpoints using WAF rules targeting SQL injection payload patterns
- Apply database-level least privilege by ensuring the WordPress database user cannot read tables outside its required scope
- Disable the plugin entirely on production sites and use an alternative directory plugin until a fix is published
- Place the WordPress instance behind an authentication proxy if the plugin functionality is not required for public users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
