High severity flaw in WordPress Paid Member Subscriptions plugin, patch now available

A high severity vulnerability has been found in the WordPress Paid Member Subscriptions plugin, exposing membership sites to unauthenticated SQL injection. The issue is tracked as CVE-2025-49870, carries a CVSS score of 7.5, and affects versions through 2.15.1. A fix is available in version 2.15.2. The plugin powers more than 10,000 sites that offer paid access and recurring subscriptions.

The risk stemmed from how the plugin handled PayPal Instant Payment Notifications. A payment ID taken from user supplied data was inserted into a database query without proper validation. An attacker could inject SQL and read sensitive records such as emails or hashed passwords, and in some cases modify stored data.

Site owners should update immediately to close the exposure and reduce the chance of data theft or account takeover.

What site owners should do

• Update Paid Member Subscriptions to 2.15.2 or later.

• Review server and application logs for unusual PayPal IPN requests.

• Rotate API keys, webhooks, and any tokens tied to payment gateways.

• If compromise is suspected, force password resets for members and audit administrator accounts.

• Ensure database queries use prepared statements and input validation.

• Enable a web application firewall and keep regular backups.

Timeline

• Report received, 2 June 2025.

• Patched release, 11 June 2025.

• CVE entry published, 3 July 2025.

• Full advisory published, 28 August 2025.

WordPress remains a major target because of its large plugin ecosystem. Prompt patching, least privilege access, and continuous monitoring are essential for sites that process payments and store user data.

Photo Credit: DepositPhotos.com