CVE-2025-39504: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-39504) was discovered in GoodLayers Goodlayers Hotel plugin versions up to 3.1.4. The vulnerability was disclosed on May 23, 2025, and allows unauthenticated attackers to perform Blind SQL Injection attacks against affected WordPress installations (Patchstack, NVD).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received a CVSS v3.1 base score of 9.3 CRITICAL. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N) or user interaction (UI:N), and has a changed scope (S:C). The impact metrics indicate high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (NVD, Patchstack).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. Given the unauthenticated nature of the attack and the critical CVSS score, this vulnerability poses a significant risk to affected installations (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately (Patchstack).