- An inappropriate neutralization defect was found in the WordPress paid membership subscription plugin
- This plugin is used by more than 10,000 sites, allowing subscriptions and paying user accounts
- A fix is now available, so users must update immediately
A high severity vulnerability has been discovered in a popular WordPress premium plugin, allowing threat actors to access or exfiltrate sensitive data without authentication.
The CHUONGVN security researcher of the Patchstack Alliance recently found an “incorrect neutralization of the special elements used in an SQL control defect”, affecting the membership subscription plugin paid by WordPress.
Subscriptions to paid members are a plugin helping the owners of sites to create and manage members based on members. It allows administrators to restrict the content, create subscription plans, accept recurring payments and control user access according to the level of membership. It is rather popular, used by more than 10,000 websites.
Among the out -of -competition features of the plugin is its integration with popular payment bridges like Paypal and Stripe, but it is also from there that the problem follows.
The management by the plugin of Instant Paypal Payment Payment notifications (IPN) was problematic, because when a transaction has been processed, the plugin has extracted an ID of payment directly from data provided by the User and inserted it into a database request without appropriate validation.
By manipulating this entry, the attackers could obtain unauthorized access to sensitive information or modify the stored records.
In a real scenario, an attacker could inject malicious requests into the site database, allowing them to extract e-mail addresses or chopped passwords from paid members. This information could then be used to launch phishing attacks against subscribers or compensation attacks on other platforms where the same connection details are used.
The bug is now followed as CVE-2025-49870 and obtains a gravity score of 7.5 / 10 (high). It has been corrected in version 2.15.2, and users are now invited to upgrade their plugins as soon as possible.
WordPress is the most popular website manufacturer in the world, feeding more than half of all existing websites. As such, its plugins and themes are a popular target among cybercriminals looking for an easy way in websites, content and user data.
Via Infosecurity magazine
