1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Paid WordPress users beware - worrying security flaw puts account

    From TechnologyDaily@1337:1/100 to All on Tue Sep 2 17:15:09 2025
    Paid WordPress users beware - worrying security flaw puts accounts and info
    at risk

    Date:
    Tue, 02 Sep 2025 16:06:00 +0000

    Description:
    A high vulnerability flaw was found in a popular WordPress theme enabling subscriptions and paying users.

    FULL STORY ======================================================================An improper neutralization flaw was found in the WordPress Paid Membership Subscriptions plugin This plugin is used by more than 10,000 sites, enabling memberships and paying user accounts A patch is now available, so users
    should update immediately

    A high-severity vulnerability has been discovered in a popular premium WordPress plugin , allowing threat actors to access, or exfiltrate, sensitive data without authentication.

    Security researcher ChuongVN from the Patchstack Alliance recently found an improper neutralization of special elements used in an SQL command flaw, affecting the WordPress Paid Membership Subscriptions plugin.

    Paid Member Subscriptions is a plugin helping site owners create and manage membership-based websites. It lets admins restrict content, create subscription plans, accept recurring payments, and control user access based on membership level. It is rather popular, being used by more than 10,000 websites. Extracting emails or hashed passwords

    Among the plugin's standout features is its integration with popular payment gateways like PayPal and Stripe, but this is also where the problem stems from.

    The plugins handling of PayPal Instant Payment Notifications (IPN) was problematic, as when a transaction was processed, the plugin extracted a payment ID directly from user-supplied data and inserted it into a database query without proper validation.

    By manipulating this input, attackers could gain unauthorized access to sensitive information or modify stored records.

    In a real-life scenario, an attacker could inject malicious queries into the sites database, allowing them to extract email addresses or hashed passwords of paying members. This information could then be used to launch phishing attacks against subscribers, or credential-stuffing attacks on other
    platforms where the same login details are used.

    The bug is now tracked as CVE-2025-49870, and carries a severity score of 7.5/10 (high). It was fixed in version 2.15.2, and users are now advised to upgrade their plugins as soon as possible.

    WordPress is the worlds most popular website builder , powering more than
    half of all websites in existence. As such, its plugins and themes are a popular target among cybercriminals looking for an easy way into websites, their content, and their users data.

    Via Infosecurity Magazine You might also like Dangerous WordPress plugin
    puts over 160,000 sites at risk - here's what we know Take a look at our
    guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/paid-wordpress-users-beware-worrying-se curity-flaw-puts-accounts-and-info-at-risk


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)