Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

High Risk SQLi In WordPress Plugin

September 2, 2025
Reading Time: 3 mins read
in Alerts
Sitecore Exploit Chain Warning

A serious SQL injection vulnerability in the WordPress Paid Membership Subscriptions plugin affects versions 2.15.1 and below, allowing attackers to manipulate database queries without authentication. This flaw, tracked as CVE-2025-49870, has been patched in version 2.15.2, and all users should update immediately to prevent data theft and site compromise.

A significant security vulnerability has been identified and patched in the WordPress Paid Membership Subscriptions plugin, a tool utilized by over 10,000 websites to manage user memberships and process payments. The flaw, designated as CVE-2025-49870, is a severe unauthenticated SQL injection vulnerability affecting all plugin versions up to and including 2.15.1. This critical issue allows malicious actors to execute arbitrary SQL queries on a site’s database without needing to log in. The vulnerability was discovered by Patchstack Alliance researcher ChuongVN, who confirmed the fix implemented in version 2.15.2. This discovery highlights the ongoing importance of diligence in web security, especially for plugins that handle sensitive user data and financial transactions.

The root cause of the vulnerability lies in how the plugin handles PayPal Instant Payment Notifications (IPNs). When a payment transaction is processed, the plugin’s code directly uses a payment ID provided by the user and inserts it into a database query. Critically, this process occurs without proper validation or sanitization of the user-supplied data. An attacker can exploit this weakness by crafting a malicious input that includes harmful SQL code, which the database then executes. This oversight allows the attacker to alter the intended structure of the database query, giving them unauthorized access to sensitive information, the ability to modify records, or even to delete the entire database.

SQL injection attacks have long been a significant threat to web applications and are consistently ranked among the most dangerous web security risks.

The potential for a successful SQL injection attack to compromise an entire database is why this vulnerability is so concerning. Attackers can steal confidential user data, including names, emails, and financial information. They can also gain administrative access, manipulate website content, or inject malware. The Patchstack advisory correctly points out that developers must always escape and format user input safely before performing a query. The best practice, and the method used to fix this vulnerability, is the use of prepared statements, which separate the query structure from the user-supplied data, effectively preventing injection.

The vulnerability has been completely addressed in version 2.15.2 of the WordPress Paid Membership Subscriptions plugin. The updated version implements prepared statements to safely handle user input, closing the security hole. This fix prevents attackers from injecting malicious code into database queries. For anyone running a website that uses this plugin, the advice is clear and urgent: upgrade to version 2.15.2 as soon as possible. Delaying the update leaves your site, and your users’ data, exposed to potential compromise. While the vulnerability has been patched, sites running older versions remain at risk until the update is applied.

This incident serves as a stark reminder of the constant need for vigilance in web security. Vulnerabilities like CVE-2025-49870 underscore that even popular and widely used plugins can have serious security flaws. Site administrators should regularly check for plugin and theme updates and apply them promptly. Developers, in turn, must follow secure coding practices and conduct thorough security audits. The ongoing partnership between security researchers like ChuongVN and plugin developers is crucial for identifying and fixing these issues before they can be widely exploited.

Reference:

  • Critical SQLi Vulnerability Puts WordPress Membership Users At Risk
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecuritySeptember 2025
ADVERTISEMENT

Related Posts

FBI Issues Warning on Spoofed IC3 Website

FBI Issues Warning on Spoofed IC3 Website

September 22, 2025
FBI Issues Warning on Spoofed IC3 Website

Infostealer Hits macOS Users Widely

September 22, 2025
FBI Issues Warning on Spoofed IC3 Website

SonicWall Warns Reset After Exposure

September 22, 2025
Steganography Cloud C2 In Modular Chain

Steganography Cloud C2 In Modular Chain

September 19, 2025
Steganography Cloud C2 In Modular Chain

Fake Empire Targets Crypto With AMOS

September 19, 2025
Steganography Cloud C2 In Modular Chain

SEO Poisoning Hits Chinese Users

September 19, 2025

Latest Alerts

SonicWall Warns Reset After Exposure

Infostealer Hits macOS Users Widely

FBI Issues Warning on Spoofed IC3 Website

Steganography Cloud C2 In Modular Chain

Fake Empire Targets Crypto With AMOS

SEO Poisoning Hits Chinese Users

Subscribe to our newsletter

    Latest Incidents

    Steam Game Steals Streamer Donations

    Ransomware Gang Hacks Spartanburg County

    Cyberattack Hits Europe Airport Systems

    Russian Hackers Hit Polish Hospitals

    New York Blood Center Data Breach

    Tiffany Data Breach Hits Thousands

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial