CVE-2025-49870
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows SQL Injection.This issue affects Paid Member Subscriptions: from n/a through <= 2.15.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Paid Member Subscriptions plugin allows attackers to execute arbitrary SQL queries, potentially stealing data from WordPress databases.
The vulnerability is an SQL injection flaw in the Paid Member Subscriptions plugin by Cozmoslabs, affecting versions through 2.15.1. The plugin fails to properly sanitize user inputs before constructing SQL queries, allowing attackers to inject malicious SQL code [1].
Attackers can exploit this by sending specially crafted requests to vulnerable endpoints without requiring authentication, making it accessible to anyone with HTTP access to the WordPress site. This type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].
Successful exploitation allows an attacker to directly interact with the database, potentially stealing sensitive information such as user credentials, personal data, or other stored content. The CVSS v3 base score of 7.5 indicates a high severity [1].
The vulnerability is patched in version 2.15.2. Users are advised to update immediately. If unable to update, consider using a web application firewall or contacting the hosting provider for assistance. Patchstack has issued a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.