- An inadequate neutralization failure was found in the complement of WordPress paid membership subscriptions
- This complement is used by more than 10,000 sites, enabling memberships and paying user accounts
- Now there is an available patch, so users must be updated immediately
High severity vulnerability has been discovered in a popular premium WordPress complement, allowing threat actors to access or exfilt confidential data without authentication.
Chuongvn’s security researcher at Patchstack Alliance recently found “inappropriate neutralization of special elements used in a SQL command”, which affects the complement of word -paid membership subscriptions of WordPress.
Subscriptions of payments are a complement that helps the owners of sites to create and manage membership based on membership. It allows administrators to restrict content, create subscription plans, accept recurring payments and control access to the user based on the level of membership. It is quite popular, being used by more than 10,000 websites.
Among the outstanding characteristics of the complement is its integration with popular payment catwalks such as Paypal and Stripe, but here is also where the problem comes from.
The complement of the instant payment notifications (IPN) of the complement was problematic, since when a transaction was processed, the complement extracted a payment ID directly from the data provided by the user and inserted it into a database consultation without adequate validation.
When manipulating this contribution, attackers could obtain unauthorized access to confidential information or modify stored records.
In a real -life scenario, an attacker could inject malicious consultations into the site database, allowing them to extract email addresses or hash passwords from members who pay. This information could be used to launch phishing attacks against subscribers, or credential attacks on other platforms where the same login details are used.
The error is now tracked as CVE-2025-49870, and entails a gravity score of 7.5/10 (high). It was solved in version 2.15.2, and users are now recommended to update their accessories as soon as possible.
WordPress is the most popular website builder in the world, which feeds more than half of all the websites that exist. As such, its accessories and themes are a popular objective among cybercriminals who seek an easy way on websites, their content and data of their users.
Through Infosecurity magazine
