A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Membership Subscriptions plugin (versions ≤2.15.1), exposing over 10,000 websites managing memberships and recurring payments. The flaw stems from improper handling of PayPal IPN payment IDs, allowing attackers to inject malicious SQL queries without authentication.Exploitation could lead to unauthorized database access, enabling attackers to steal sensitive user data (e.g., payment details, membership records) or modify/delete critical records. While no active exploits are confirmed, the risk is severe due to the plugin’s widespread use in e-commerce, subscription services, and membership-based platforms.The vulnerability was patched in version 2.15.2, which enforces numeric validation for payment IDs, replaces vulnerable query concatenation with prepared statements, and strengthens input sanitization. Failure to update leaves sites vulnerable to data breaches, financial fraud, and reputational damage, particularly if customer payment data is compromised. Users are urged to immediately upgrade to mitigate risks.
Source: https://www.infosecurity-magazine.com/news/sqli-threat-wordpress-memberships/
TPRM report: https://www.rankiteo.com/company/memberpress
"id": "mem810090225",
"linkid": "memberpress",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global',
'name': 'WordPress Paid Membership Subscriptions '
'Plugin Users',
'size': '10,000+ sites',
'type': ['Businesses',
'Organizations',
'Individuals']}],
'attack_vector': ['Network', 'Unauthenticated'],
'customer_advisories': ['Users advised to upgrade to version 2.15.2 to '
'mitigate risk'],
'data_breach': {'data_exfiltration': ['Possible, if exploited'],
'personally_identifiable_information': ['Possible, if stored '
'in the database'],
'sensitivity_of_data': ['Potentially high (membership, '
'payment, or PII)'],
'type_of_data_compromised': ['Potential: Database records '
'(membership, payment, or user '
'data)']},
'description': 'A serious security issue has been discovered in the WordPress '
'Paid Membership Subscriptions plugin (versions 2.15.1 and '
'below), which is used by over 10,000 sites to manage '
'memberships and recurring payments. The flaw, tracked as '
'CVE-2025-49870, allows attackers to inject malicious SQL '
'queries into the database without requiring login '
'credentials. The vulnerability stems from improper handling '
'of PayPal Instant Payment Notifications (IPN), where the '
'plugin extracts a payment ID directly from user-supplied data '
'and inserts it into a database query without proper '
'validation. Attackers could exploit this to gain unauthorized '
'access to sensitive information or modify stored records. The '
'issue was identified by Patchstack Alliance researcher '
'ChuongVN and addressed in version 2.15.2 through input '
'validation, prepared statements, and strengthened safeguards.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'vulnerability exposure'],
'data_compromised': ['Potential unauthorized access to sensitive '
'database information',
'Potential modification of stored records'],
'identity_theft_risk': ['Potential risk if sensitive user data is '
'exposed'],
'operational_impact': ['Risk of database compromise',
'Potential unauthorized data manipulation'],
'payment_information_risk': ['Potential risk if payment-related '
'data is accessed or modified'],
'systems_affected': ['WordPress sites using Paid Membership '
'Subscriptions plugin (versions ≤ 2.15.1)']},
'investigation_status': 'Resolved (patch released)',
'lessons_learned': ['Importance of input validation and sanitization in '
'handling user-supplied data',
'Critical need for prepared statements to prevent SQL '
'injection',
'Timely patching as a key mitigation strategy for known '
'vulnerabilities'],
'post_incident_analysis': {'corrective_actions': ['Implemented numeric '
'validation for payment IDs',
'Replaced query '
'concatenation with '
'prepared statements',
'Enhanced input handling '
'safeguards',
'Released patched version '
'(2.15.2)'],
'root_causes': ['Lack of input validation for '
'PayPal IPN payment IDs',
'Use of vulnerable query '
'concatenation instead of prepared '
'statements',
'Insufficient safeguards around '
'user-supplied data in database '
'queries']},
'recommendations': ['Upgrade to WordPress Paid Membership Subscriptions '
'plugin version 2.15.2 immediately',
'Use prepared statements for all database queries',
'Validate and sanitize all user-supplied input, '
'especially in payment processing workflows',
'Monitor for signs of exploitation if running a '
'vulnerable version',
'Follow secure coding practices as outlined by CISA and '
'FBI for SQL injection prevention'],
'references': [{'source': 'Patchstack Advisory'},
{'source': 'CISA and FBI Guidance on SQL Injection'}],
'response': {'communication_strategy': ['Public advisory via Patchstack',
'Recommendations for immediate '
'patching'],
'containment_measures': ['Release of patched version (2.15.2)'],
'recovery_measures': ['Users advised to upgrade to version '
'2.15.2'],
'remediation_measures': ['Ensuring payment ID is numeric before '
'use',
'Replacing vulnerable query '
'concatenation with prepared statements',
'Strengthening safeguards around user '
'input handling'],
'third_party_assistance': ['Patchstack Alliance (research and '
'disclosure)']},
'stakeholder_advisories': ['Public disclosure via Patchstack',
'Recommendations for plugin users'],
'title': 'Unauthenticated SQL Injection Vulnerability in WordPress Paid '
'Membership Subscriptions Plugin (CVE-2025-49870)',
'type': ['Vulnerability', 'SQL Injection'],
'vulnerability_exploited': 'CVE-2025-49870 (Unauthenticated SQL Injection in '
'PayPal IPN handling)'}