A serious SQL injection vulnerability in the WordPress Paid Membership Subscriptions plugin affects versions 2.15.1 and below, allowing attackers to manipulate database queries without authentication. This flaw, tracked as CVE-2025-49870, has been patched in version 2.15.2, and all users should update immediately to prevent data theft and site compromise.
A significant security vulnerability has been identified and patched in the WordPress Paid Membership Subscriptions plugin, a tool utilized by over 10,000 websites to manage user memberships and process payments. The flaw, designated as CVE-2025-49870, is a severe unauthenticated SQL injection vulnerability affecting all plugin versions up to and including 2.15.1. This critical issue allows malicious actors to execute arbitrary SQL queries on a site’s database without needing to log in. The vulnerability was discovered by Patchstack Alliance researcher ChuongVN, who confirmed the fix implemented in version 2.15.2. This discovery highlights the ongoing importance of diligence in web security, especially for plugins that handle sensitive user data and financial transactions.
The root cause of the vulnerability lies in how the plugin handles PayPal Instant Payment Notifications (IPNs). When a payment transaction is processed, the plugin’s code directly uses a payment ID provided by the user and inserts it into a database query. Critically, this process occurs without proper validation or sanitization of the user-supplied data. An attacker can exploit this weakness by crafting a malicious input that includes harmful SQL code, which the database then executes. This oversight allows the attacker to alter the intended structure of the database query, giving them unauthorized access to sensitive information, the ability to modify records, or even to delete the entire database.
SQL injection attacks have long been a significant threat to web applications and are consistently ranked among the most dangerous web security risks.
The potential for a successful SQL injection attack to compromise an entire database is why this vulnerability is so concerning. Attackers can steal confidential user data, including names, emails, and financial information. They can also gain administrative access, manipulate website content, or inject malware. The Patchstack advisory correctly points out that developers must always escape and format user input safely before performing a query. The best practice, and the method used to fix this vulnerability, is the use of prepared statements, which separate the query structure from the user-supplied data, effectively preventing injection.
The vulnerability has been completely addressed in version 2.15.2 of the WordPress Paid Membership Subscriptions plugin. The updated version implements prepared statements to safely handle user input, closing the security hole. This fix prevents attackers from injecting malicious code into database queries. For anyone running a website that uses this plugin, the advice is clear and urgent: upgrade to version 2.15.2 as soon as possible. Delaying the update leaves your site, and your users’ data, exposed to potential compromise. While the vulnerability has been patched, sites running older versions remain at risk until the update is applied.
This incident serves as a stark reminder of the constant need for vigilance in web security. Vulnerabilities like CVE-2025-49870 underscore that even popular and widely used plugins can have serious security flaws. Site administrators should regularly check for plugin and theme updates and apply them promptly. Developers, in turn, must follow secure coding practices and conduct thorough security audits. The ongoing partnership between security researchers like ChuongVN and plugin developers is crucial for identifying and fixing these issues before they can be widely exploited.
Reference: