CVE-2025-2890 is a medium-severity SQL Injection vulnerability affecting the tagDiv Opt-In Builder plugin for WordPress, specifically all versions up to and including 1.7. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89) via the 'subscriptionCouponId' parameter. This parameter is insufficiently escaped and the SQL queries are not properly prepared, allowing an authenticated attacker with Subscriber-level access or higher to inject additional SQL commands. The injection is time-based, enabling attackers to extract sensitive information from the backend database by appending malicious SQL queries to legitimate ones. Notably, no user interaction is required beyond authentication, and the attack vector is remote over the network. The CVSS 3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no integrity or availability impact. The vulnerability does not currently have known exploits in the wild, and no patches have been released yet. The attack requires at least low-level authenticated access, which means the attacker must have a valid WordPress account with subscriber or higher privileges. The plugin is widely used in WordPress sites for managing opt-in forms and marketing campaigns, making it a valuable target for attackers seeking to extract user data or other sensitive database contents. The lack of proper input sanitization and parameterized queries is the root cause, and the vulnerability specifically targets the subscriptionCouponId parameter, which is likely used in coupon or subscription management features within the plugin.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored in WordPress databases, including potentially personal data protected under GDPR. Since the vulnerability allows extraction of data without elevating privileges beyond subscriber-level access, attackers who compromise low-privilege accounts or exploit weak authentication mechanisms could leverage this flaw to access sensitive customer or business information. This could lead to data breaches, reputational damage, regulatory fines, and loss of customer trust. The impact is particularly critical for organizations relying heavily on WordPress for marketing, subscription management, or customer engagement, such as e-commerce, media, and service providers. The vulnerability does not affect data integrity or availability directly, but the confidentiality breach alone is sufficient to cause serious compliance and operational issues. Additionally, the lack of known exploits currently provides a window for organizations to remediate before active exploitation occurs.

Immediately audit WordPress sites using the tagDiv Opt-In Builder plugin to identify affected versions (up to 1.7). Restrict subscriber-level accounts and enforce strong authentication policies, including multi-factor authentication (MFA), to reduce risk of account compromise. Implement web application firewall (WAF) rules specifically targeting SQL injection patterns related to the 'subscriptionCouponId' parameter to block malicious payloads. Employ database activity monitoring to detect unusual query patterns indicative of SQL injection attempts. Consider temporarily disabling or removing the tagDiv Opt-In Builder plugin if immediate patching is not available. Monitor vendor communications closely for patch releases and apply updates promptly once available. Review and harden WordPress user roles and permissions to minimize the number of users with subscriber or higher access. Conduct regular security assessments and penetration testing focusing on WordPress plugins to identify similar injection flaws. Educate site administrators on the risks of SQL injection and the importance of plugin updates and secure configurations.