CVE-2018-25434
Deferred Deferred - Pending Action
SQL Injection in WP AutoSuggest Plugin

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulnCheck

Description
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2018-25434
EUVD
EUVD-2018-21955
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_autosuggest wp_autosuggest 0.24
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

WP AutoSuggest version 0.24 has an SQL injection vulnerability. This means that attackers who are not authenticated can inject malicious SQL code through the wpas_keys parameter. By sending specially crafted GET requests to the autosuggest.php file with manipulated wpas_keys values, attackers can execute arbitrary SQL queries on the database.

This allows them to extract sensitive information stored in the WordPress database, including data from posts and other tables.

Impact Analysis

This vulnerability can have serious impacts because it allows unauthenticated attackers to access sensitive database information. They can extract confidential data from WordPress posts and other database tables, potentially leading to data breaches.

The CVSS score of 8.2 (v3.1) and 8.8 (v4.0) indicates a high severity, meaning the vulnerability is easy to exploit remotely without any privileges or user interaction, and it can result in a high impact on confidentiality.

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information from WordPress posts and other tables. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to access sensitive information without authentication, the vulnerability increases the risk of data breaches, which can result in legal and regulatory consequences for organizations handling protected data.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests to the autosuggest.php file containing crafted or unusual values in the 'wpas_keys' parameter.

One practical approach is to use tools like sqlmap to test the vulnerability by sending specially crafted requests targeting the 'wpas_keys' parameter.

For example, a command using sqlmap might look like this:

  • sqlmap -u "http://targetsite.com/wp-autosuggest/autosuggest.php?wpas_keys=test" --risk=3 --level=5 --dbs

Additionally, network monitoring tools or web application firewalls (WAFs) can be configured to alert on GET requests to autosuggest.php with suspicious 'wpas_keys' parameter values.

Mitigation Strategies

Immediate mitigation steps include disabling or removing the WP AutoSuggest plugin version 0.24 from your WordPress installation, as it is vulnerable to SQL injection.

Since the plugin was removed from the WordPress Plugin Directory and no updates are available, it is recommended to replace it with a secure alternative or custom solution.

In addition, you should implement web application firewall (WAF) rules to block or monitor suspicious requests targeting autosuggest.php and the 'wpas_keys' parameter.

Regularly review and monitor your logs for any attempts to exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart