Paid WordPress users beware - worrying security flaw puts accounts and info at risk

News
By published

A high vulnerability flaw was found in a popular WordPress theme

WordPress logo on mobile
(Image credit: Shutterstock)
  • An improper neutralization flaw was found in the WordPress Paid Membership Subscriptions plugin
  • This plugin is used by more than 10,000 sites, enabling memberships and paying user accounts
  • A patch is now available, so users should update immediately

A high-severity vulnerability has been discovered in a popular premium WordPress plugin, allowing threat actors to access, or exfiltrate, sensitive data without authentication.

Security researcher ChuongVN from the Patchstack Alliance recently found an “improper neutralization of special elements used in an SQL command” flaw, affecting the WordPress Paid Membership Subscriptions plugin.

Paid Member Subscriptions is a plugin helping site owners create and manage membership-based websites. It lets admins restrict content, create subscription plans, accept recurring payments, and control user access based on membership level. It is rather popular, being used by more than 10,000 websites.

Extracting emails or hashed passwords

Among the plugin's standout features is its integration with popular payment gateways like PayPal and Stripe, but this is also where the problem stems from.

The plugin’s handling of PayPal Instant Payment Notifications (IPN) was problematic, as when a transaction was processed, the plugin extracted a payment ID directly from user-supplied data and inserted it into a database query without proper validation.

By manipulating this input, attackers could gain unauthorized access to sensitive information or modify stored records.

In a real-life scenario, an attacker could inject malicious queries into the site’s database, allowing them to extract email addresses or hashed passwords of paying members. This information could then be used to launch phishing attacks against subscribers, or credential-stuffing attacks on other platforms where the same login details are used.

The bug is now tracked as CVE-2025-49870, and carries a severity score of 7.5/10 (high). It was fixed in version 2.15.2, and users are now advised to upgrade their plugins as soon as possible.

WordPress is the world’s most popular website builder, powering more than half of all websites in existence. As such, its plugins and themes are a popular target among cybercriminals looking for an easy way into websites, their content, and their users’ data.

Via Infosecurity Magazine

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.