CVE-2025-58789

Vulnerability

Overview

The WP Full Stripe Free plugin for WordPress, versions up to and including 8.2.5, contains an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to inject arbitrary SQL queries into the database through unsanitized input fields.

Exploitation

Exploitation

Details

The vulnerability can be exploited without authentication, making it accessible to any remote attacker who can send crafted requests to a vulnerable site [1]. The attack surface is broad because the plugin is widely used for payment processing, and the injection point may be reachable via standard HTTP parameters.

Impact

Successful exploitation enables an attacker to directly interact with the underlying database, potentially reading sensitive data (such as user credentials or payment information), modifying or deleting records, and in some cases escalating privileges or gaining further access to the WordPress installation [1].

Mitigation

The vendor has released version 8.2.6, which fixes the SQL injection issue [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer for temporary workarounds is recommended. Patchstack users of Patchstack can enable auto-updated plugins can enable auto-updates to stay protected [1].