Skip to main content
CVE Vulnerability Database

CVE-2025-9322: WP Full Pay Plugin SQLi Vulnerability

CVE-2025-9322 is a SQL injection flaw in the WP Full Pay WordPress plugin that allows unauthenticated attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-9322 Overview

CVE-2025-9322 is a SQL Injection vulnerability in the Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress. The flaw affects all plugin versions up to and including 8.3.1. The vulnerability resides in the wpfs-form-name parameter, which lacks proper escaping and SQL query preparation. Unauthenticated attackers can append additional SQL queries to existing ones and extract sensitive data from the WordPress database. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated remote attackers can extract sensitive information, including credentials, payment metadata, and personal data, from WordPress databases on affected sites.

Affected Products

  • Stripe Payment Forms by WP Full Pay (free edition) – all versions through 8.3.1
  • WordPress sites running the WP Full Pay plugin for Stripe payment processing
  • Sites accepting credit card payments, donations, or subscriptions via this plugin

Discovery Timeline

  • 2025-10-25 - CVE-2025-9322 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9322

Vulnerability Analysis

The plugin processes user-supplied input from the wpfs-form-name parameter and concatenates it into an SQL query without adequate sanitization. Because the query is not prepared using parameterized statements, attacker-controlled input becomes part of the executed SQL command. An attacker can append UNION SELECT clauses or other SQL constructs to retrieve arbitrary data from the WordPress database. Targets typically include the wp_users table for password hashes and the wp_options table for secret keys and API credentials. The attack requires no authentication and no user interaction, making it suitable for automated mass exploitation against exposed WordPress sites.

Root Cause

The root cause is twofold: insufficient escaping of the wpfs-form-name request parameter, and the absence of prepared statements (such as $wpdb->prepare()) when constructing the underlying SQL query. Both defenses must be present to neutralize SQL metacharacters supplied by remote users.

Attack Vector

The vulnerability is reachable over the network through standard HTTP/HTTPS requests targeting the plugin's form-handling endpoint. An attacker submits a crafted value in the wpfs-form-name parameter containing SQL syntax. The injected payload modifies the original query, enabling data exfiltration via UNION-based, error-based, or time-based blind SQL injection techniques.

No verified exploit code is publicly available. For technical specifics, refer to the Wordfence Vulnerability Report and the WordPress Plugin Change Log.

Detection Methods for CVE-2025-9322

Indicators of Compromise

  • HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the wpfs-form-name parameter
  • Unusual outbound database query patterns or extended response times from pages handling WP Full Pay form submissions
  • Web server access logs showing repeated POST or GET requests to WP Full Pay endpoints from a single source
  • Unexpected new administrative users or modified wp_options entries following plugin-related traffic

Detection Strategies

  • Inspect web server and WAF logs for SQL metacharacters (', --, ;, /*) appearing in the wpfs-form-name parameter
  • Deploy WordPress-aware intrusion detection rules that flag SQL injection patterns targeting plugin parameters
  • Correlate spikes in 500-series HTTP responses with requests to WP Full Pay endpoints, which often indicate failed injection attempts

Monitoring Recommendations

  • Enable query logging on MySQL/MariaDB and alert on queries containing concatenated user input from plugin handlers
  • Monitor file integrity on wp-content/plugins/wp-full-stripe-free/ to detect tampering or webshell drops following exploitation
  • Track outbound connections from the WordPress host to unfamiliar destinations, which may indicate data exfiltration

How to Mitigate CVE-2025-9322

Immediate Actions Required

  • Update the Stripe Payment Forms by WP Full Pay plugin to the version released after 8.3.1 that includes the fix referenced in WordPress changeset 3378785
  • If immediate patching is not possible, deactivate and remove the plugin until an upgrade can be applied
  • Audit the WordPress database for unauthorized administrative accounts, modified options, and anomalous content created since plugin installation
  • Rotate WordPress administrator passwords, API keys, and Stripe secret keys stored in the database

Patch Information

The vendor addressed the issue in a release published after version 8.3.1. The corresponding commit is documented in the WordPress Plugin Change Log. The fix introduces proper escaping and prepared statement usage for the wpfs-form-name parameter. Administrators should verify the installed version through the WordPress plugins dashboard after updating.

Workarounds

  • Deploy a Web Application Firewall (WAF) rule blocking SQL metacharacters in the wpfs-form-name parameter until the patch is applied
  • Restrict access to pages embedding WP Full Pay forms using IP allowlists where business requirements permit
  • Disable the plugin via WP-CLI with wp plugin deactivate wp-full-stripe-free on hosts that cannot be patched immediately
bash
# Configuration example
# Deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate wp-full-stripe-free

# After patching, update to the fixed release and verify version
wp plugin update wp-full-stripe-free
wp plugin get wp-full-stripe-free --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.