CVE-2018-25434

HIGH

WP AutoSuggest 0.24 - Unauthenticated SQL Injection via wpas_keys Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25434. PoCs published by Kaimi.

AI-analyzed exploit summary The exploit describes a SQL injection vulnerability in WP AutoSuggest 0.24, where the 'wpas_keys' parameter in autosuggest.php is unsafely interpolated into a SQL query. The author provides the vulnerable code snippet and an example using sqlmap for exploitation.

Description

WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.

Exploits (1)

exploitdb WRITEUP
by Kaimi · textwebappsphp
https://www.exploit-db.com/exploits/45977

The exploit describes a SQL injection vulnerability in WP AutoSuggest 0.24, where the 'wpas_keys' parameter in autosuggest.php is unsafely interpolated into a SQL query. The author provides the vulnerable code snippet and an example using sqlmap for exploitation.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WP AutoSuggest 0.24
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45977
Various Sources product
https://kaimi.io

Scores

CVSS v3 8.2
EPSS 0.0009
EPSS Percentile 25.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
eliekhoury/WP AutoSuggest 0.24
Published Jun 01, 2026
Tracked Since Jun 02, 2026