Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

High Risk SQLi In WordPress Plugin

September 2, 2025
Reading Time: 3 mins read
in Alerts
Sitecore Exploit Chain Warning

A serious SQL injection vulnerability in the WordPress Paid Membership Subscriptions plugin affects versions 2.15.1 and below, allowing attackers to manipulate database queries without authentication. This flaw, tracked as CVE-2025-49870, has been patched in version 2.15.2, and all users should update immediately to prevent data theft and site compromise.

A significant security vulnerability has been identified and patched in the WordPress Paid Membership Subscriptions plugin, a tool utilized by over 10,000 websites to manage user memberships and process payments. The flaw, designated as CVE-2025-49870, is a severe unauthenticated SQL injection vulnerability affecting all plugin versions up to and including 2.15.1. This critical issue allows malicious actors to execute arbitrary SQL queries on a site’s database without needing to log in. The vulnerability was discovered by Patchstack Alliance researcher ChuongVN, who confirmed the fix implemented in version 2.15.2. This discovery highlights the ongoing importance of diligence in web security, especially for plugins that handle sensitive user data and financial transactions.

The root cause of the vulnerability lies in how the plugin handles PayPal Instant Payment Notifications (IPNs). When a payment transaction is processed, the plugin’s code directly uses a payment ID provided by the user and inserts it into a database query. Critically, this process occurs without proper validation or sanitization of the user-supplied data. An attacker can exploit this weakness by crafting a malicious input that includes harmful SQL code, which the database then executes. This oversight allows the attacker to alter the intended structure of the database query, giving them unauthorized access to sensitive information, the ability to modify records, or even to delete the entire database.

SQL injection attacks have long been a significant threat to web applications and are consistently ranked among the most dangerous web security risks.

The potential for a successful SQL injection attack to compromise an entire database is why this vulnerability is so concerning. Attackers can steal confidential user data, including names, emails, and financial information. They can also gain administrative access, manipulate website content, or inject malware. The Patchstack advisory correctly points out that developers must always escape and format user input safely before performing a query. The best practice, and the method used to fix this vulnerability, is the use of prepared statements, which separate the query structure from the user-supplied data, effectively preventing injection.

The vulnerability has been completely addressed in version 2.15.2 of the WordPress Paid Membership Subscriptions plugin. The updated version implements prepared statements to safely handle user input, closing the security hole. This fix prevents attackers from injecting malicious code into database queries. For anyone running a website that uses this plugin, the advice is clear and urgent: upgrade to version 2.15.2 as soon as possible. Delaying the update leaves your site, and your users’ data, exposed to potential compromise. While the vulnerability has been patched, sites running older versions remain at risk until the update is applied.

This incident serves as a stark reminder of the constant need for vigilance in web security. Vulnerabilities like CVE-2025-49870 underscore that even popular and widely used plugins can have serious security flaws. Site administrators should regularly check for plugin and theme updates and apply them promptly. Developers, in turn, must follow secure coding practices and conduct thorough security audits. The ongoing partnership between security researchers like ChuongVN and plugin developers is crucial for identifying and fixing these issues before they can be widely exploited.

Reference:

  • Critical SQLi Vulnerability Puts WordPress Membership Users At Risk
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecuritySeptember 2025
ADVERTISEMENT

Related Posts

Sitecore Exploit Chain Warning

Sitecore Exploit Chain Warning

September 2, 2025
Sitecore Exploit Chain Warning

AI Weaponized Nx Supply Chain Attack

September 2, 2025
North Korea APT37 Uses RokRAT In Phishing

North Korea APT37 Uses RokRAT In Phishing

September 1, 2025
North Korea APT37 Uses RokRAT In Phishing

Brokewell Android Malware In Fake Ads

September 1, 2025
North Korea APT37 Uses RokRAT In Phishing

New Zero Click Exploit Targets WhatsApp

September 1, 2025
Shadowcaptcha Exploits WordPress Sites

AI Systems Used for Ransomware Attacks

August 28, 2025

Latest Alerts

High Risk SQLi In WordPress Plugin

AI Weaponized Nx Supply Chain Attack

Sitecore Exploit Chain Warning

Brokewell Android Malware In Fake Ads

North Korea APT37 Uses RokRAT In Phishing

New Zero Click Exploit Targets WhatsApp

Subscribe to our newsletter

    Latest Incidents

    Lotte Card Cyberattack Reported

    Von Der Leyen Plane GPS Jamming

    Zscaler Data Breach Exposes Info

    Google Warns Salesloft Breach Hit Accounts

    Fraudster Stole Millions From Baltimore

    MathWorks Confirms Cyberattack Data Stolen

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial