A serious security issue has been discovered in the WordPress Paid Membership Subscriptions plugin, which is used by over 10,000 sites to manage memberships and recurring payments.
Versions 2.15.1 and below are affected by an unauthenticated SQL injection vulnerability, tracked as CVE-2025-49870.
The flaw allows attackers to inject malicious SQL queries into the database without requiring login credentials.
Patchstack Alliance researcher ChuongVN identified the problem and confirmed that it has been addressed in version 2.15.2.
How the Vulnerability Works
The bug stems from the way the plugin handles PayPal Instant Payment Notifications (IPN).
When a transaction is processed, the plugin extracts a payment ID directly from user-supplied data and inserts it into a database query without proper validation.
By manipulating this input, attackers could gain unauthorized access to sensitive information or modify stored records.
To resolve the issue, the developers made several changes in version 2.15.2, including:
-
Ensuring that the payment ID is numeric before use
-
Replacing vulnerable query concatenation with prepared statements
-
Strengthening safeguards around user input handling
Prepared statements prevent attackers from altering the intended structure of database queries, eliminating the injection risk.
SQL Injection Risks
SQL injection has long been one of the most dangerous web security problems due to its potential to compromise entire databases.
As a Patchstack advisory noted, “for the SQL query process, always do a safe escape and format the user’s input before performing a query. The best practice is always to use a prepared statement and also cast each of the used variables to its intended usage.”
Plugin users are strongly advised to upgrade to version 2.15.2 as soon as possible to protect their sites from exploitation.
Image credit: Wirestock Creators / Shutterstock.com