All news with #paid membership subscriptions tag

Critical SQLi in Paid Memberships Subscriptions Plugin

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.