A critical security flaw has been identified in the WordPress Paid Membership Subscriptions plugin, a tool used by more than 10,000 websites to manage subscriptions and recurring payments.

The vulnerability, tracked as CVE-2025-49870, impacts versions 2.15.1 and earlier. It allows unauthenticated SQL injection, meaning attackers can insert malicious SQL queries into the database without needing login credentials.

The issue was discovered by Patchstack Alliance researcher ChuongVN, who confirmed that it has been fixed in version 2.15.2.

How the Exploit Works

The vulnerability originates from how the plugin processes PayPal Instant Payment Notifications (IPN).

When a payment is received, the plugin retrieves a payment ID from user input and places it directly into a database query without proper validation. By altering this input, attackers could potentially access sensitive information or modify database records.

To mitigate the flaw, developers introduced several security improvements in version 2.15.2, including:

• Validating that payment IDs are strictly numeric before use
• Replacing insecure query concatenation with prepared statements
• Adding stronger safeguards for user input handling

Prepared statements ensure database queries cannot be modified by injected input, effectively preventing SQL injection.

Why SQL Injection Matters

SQL injection (SQLi) remains one of the most dangerous web security threats due to its ability to compromise entire databases.

As emphasized in Patchstack’s advisory:

“For the SQL query process, always properly escape and validate user input before executing a query. Best practice is to rely on prepared statements and enforce strict type casting for variables.”

What Site Owners Should Do

Website administrators using the Paid Membership Subscriptions plugin should immediately update to version 2.15.2 to secure their sites against possible exploitation.

Source: https://www.infosecurity-magazine.com/news/sqli-threat-wordpress-memberships