WordPress Plugin Panic: Critical SQL Injection Bug Hits 10,000 Sites!
The WordPress Paid Membership Subscriptions plugin, used by over 10,000 sites, faces a severe vulnerability: an unauthenticated SQL injection flaw tracked as CVE-2025-49870. This bug allows attackers to inject malicious queries without credentials. Patchstack’s ChuongVN identified the issue, now fixed in version 2.15.2. Upgrade now or risk the wrath of rogue SQL!
Hot Take:
Looks like WordPress’ Paid Membership Subscriptions plugin just signed up for a lifetime subscription to the “Oops, I Did It Again” database vulnerability club! But fear not, as the developers have managed to patch things up before things got too SQL-ly serious. So, before your membership data turns into a hacker’s social networking site, get on that update button like it’s the last slice of pizza at a tech conference!
Key Points:
- WordPress Paid Membership Subscriptions plugin hit by an SQL injection vulnerability.
- Affects versions 2.15.1 and below, impacting over 10,000 sites.
- Vulnerability allows database tampering without requiring login credentials.
- Patches have been implemented in version 2.15.2 to fix the issue.
- Users are strongly advised to upgrade to the latest version immediately.