CVE-2025-9463
Description
The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.117.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in WooCommerce Payments Plugin up to v1.117.5 allows time-based extraction of sensitive data.
The PeachPay Payments Plugin for WooCommerce (versions up to and including 1.117.5) contains a time-based SQL injection vulnerability in the order_by parameter [1]. The root cause is insufficient escaping of user-supplied input and lack of proper preparation in the existing SQL query, enabling an attacker to inject arbitrary SQL clauses [1].
Exploitation requires authenticated access with at least Subscriber-level privileges [1]. The attacker can manipulate the order_by parameter to append additional SQL queries into already existing database queries, leveraging time-based techniques to infer information from the database response delays [1]. No other special network access or privileges are necessary beyond valid WordPress credentials with Subscriber role or higher [1].
Successful exploitation allows an attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data stored by the site [1]. The time-based SQL injection method relies on conditional delays to exfiltrate data bit by bit, making extraction feasible albeit slower than direct retrieval [1].
The plugin vendor has not yet released a patched version as of the CVE publication date [1]. Administrators are advised to restrict Subscriber-level access to trusted users only, monitor database query logs for unusual time-based patterns, and apply any future security updates promptly [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.117.4/core/modules/analytics/class-peachpay-analytics-database.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/peachpay-for-woocommerce/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/670953e2-46d3-46f9-9922-0a3c9c277968nvd
News mentions
0No linked articles in our index yet.