A new high-risk security flaw has been discovered in the WordPress Paid Membership Subscriptions plugin, a tool widely used to manage memberships, recurring payments, and subscriber access. The plugin is installed on more than 10,000 WordPress websites, making this vulnerability a serious concern for website owners, developers, and businesses relying on membership-based models.
The flaw, tracked as CVE-2025-49870, is an unauthenticated SQL injection vulnerability that affects all versions of the plugin up to 2.15.1. Security researchers warn that attackers could exploit this issue to steal sensitive information, manipulate databases, or even take control of affected websites.
The vulnerability has been fixed in version 2.15.2, and site owners are strongly urged to update immediately.
The security weakness lies in how the plugin processes PayPal Instant Payment Notifications (IPN). Normally, when a payment is processed, the plugin extracts a payment ID from incoming data and uses it to update the site’s database.
However, in vulnerable versions, this payment ID was inserted directly into a SQL query without proper validation or sanitization. This means attackers could send specially crafted requests and inject malicious SQL code into the database – without needing a login or authentication.
In simple terms, hackers could trick the system into running harmful database commands, giving them access to:
User details such as names, emails, and payment history
Sensitive membership data
Stored payment-related records
Website configuration details
In some cases, attackers could even alter or delete records, leading to data loss, service disruption, or website takeover.
The flaw was identified by Patchstack Alliance researcher ChuongVN, who reported it responsibly. The plugin’s developers quickly worked on a patch and released version 2.15.2 with several important fixes:
Validating Payment IDs – ensuring they are strictly numeric before use.
Using Prepared Statements – replacing vulnerable query concatenations to block SQL injection.
Improved Input Handling – adding stronger safeguards against malicious or unexpected data.
Prepared statements are a best practice in database security. They separate the structure of a query from its data, making it impossible for attackers to inject code that changes how the query runs.
SQL injection (SQLi) is one of the oldest and most dangerous web security flaws. Despite years of awareness campaigns and countless real-world attacks, it continues to appear in vulnerable plugins, applications, and websites.
According to security advisories, SQL injection can lead to:
Data Theft – Hackers can steal sensitive customer or business information.
Data Manipulation – Attackers can alter payment records or membership details.
Privilege Escalation – Hackers may gain admin-level control of a site.
Service Disruption – Websites may crash or lose access to essential data.
A statement from Patchstack highlights the importance of coding securely:
“For SQL queries, always sanitize and escape user input before running it. The best practice is to use prepared statements and cast each variable to its proper type.”
If your website uses the Paid Membership Subscriptions plugin, you should take the following steps immediately:
Update the Plugin – Upgrade to version 2.15.2 or later. This is the only reliable way to fix the vulnerability.
Check Site Logs – Look for unusual login attempts, database errors, or suspicious activity.
Backup Your Site – Always keep regular backups of your WordPress site and database.
Apply Security Best Practices – Use a web application firewall (WAF), keep all plugins updated, and remove unused extensions.
Audit Plugins Regularly – Membership and payment-related plugins handle sensitive data, so review them frequently for updates and security notices.
This incident is a reminder that WordPress security depends heavily on third-party plugins. While WordPress itself is regularly patched and maintained, vulnerabilities often come from the add-ons that extend its functionality.
With plugins managing sensitive tasks like memberships, payments, and user access, even a small oversight can expose thousands of websites to cyberattacks.
For businesses, especially those handling recurring subscriptions or customer payments, the risks are much higher. A single breach can damage customer trust, cause financial losses, and invite compliance issues under data protection laws like GDPR.
The CVE-2025-49870 SQL injection flaw in the Paid Membership Subscriptions plugin shows once again why keeping WordPress plugins updated is critical. Attackers actively scan the internet for outdated plugins, and once a flaw is public, unpatched sites quickly become easy targets.
If you are running this plugin, update to version 2.15.2 immediately to secure your website. Staying proactive with plugin updates, backups, and basic security hygiene is the best defense against future vulnerabilities.
Interesting Article : WhatsApp Security Alert, Critical iOS and macOS Bug Fixed (CVE-2025-55177)