- An improper neutralization flaw was found in the WordPress Paid Membership Subscriptions plugin
- This plugin is used by more than 10,000 sites, enabling memberships and paying user accounts
- A patch is now available, so users should update immediately
A high-severity vulnerability has been discovered in a popular premium WordPress plugin, allowing threat actors to access, or exfiltrate, sensitive data without authentication.
Security researcher ChuongVN from the Patchstack Alliance recently found an “improper neutralization of special elements used in an SQL command” flaw, affecting the WordPress Paid Membership Subscriptions plugin.
Paid Member Subscriptions is a plugin helping site owners create and manage membership-based websites. It lets admins restrict content, create subscription plans, accept recurring payments, and control user access based on membership level. It is rather popular, being used by more than 10,000 websites.
Among the plugin’s standout features is its integration with popular payment gateways like PayPal and Stripe, but this is also where the problem stems from.
The plugin’s handling of PayPal Instant Payment Notifications (IPN) was problematic, as when a transaction was processed, the plugin extracted a payment ID directly from user-supplied data and inserted it into a database query without proper validation.
By manipulating this input, attackers could gain unauthorized access to sensitive information or modify stored records.
In a real-life scenario, an attacker could inject malicious queries into the site’s database, allowing them to extract email addresses or hashed passwords of paying members. This information could then be used to launch phishing attacks against subscribers, or credential-stuffing attacks on other platforms where the same login details are used.
The bug is now tracked as CVE-2025-49870, and carries a severity score of 7.5/10 (high). It was fixed in version 2.15.2, and users are now advised to upgrade their plugins as soon as possible.
WordPress is the world’s most popular website builder, powering more than half of all websites in existence. As such, its plugins and themes are a popular target among cybercriminals looking for an easy way into websites, their content, and their users’ data.
You might also like
https://cdn.mos.cms.futurecdn.net/7NLZKWEKmFLJVAH4nubeaX.jpg
Source link
