CVE-2025-39445: 
WordPress vulnerability analysis and mitigation

The Super Store Finder WordPress plugin contains an SQL Injection vulnerability (CVE-2025-39445) that affects versions up to and including 7.2. The vulnerability was discovered by Anhchangmutrang and was publicly disclosed on April 17, 2025. This security issue exists due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin (Wiz, WPScan).

The vulnerability is classified as an SQL Injection (CWE-89) that allows unauthenticated attackers to append additional SQL queries to existing ones. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.3, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L (Patchstack).

This vulnerability enables unauthenticated attackers to interact directly with the database, potentially leading to unauthorized access to sensitive information. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 7.5 of the Super Store Finder plugin. Users are strongly advised to update to version 7.5 or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).