CVE-2025-2890 identifies a time-based SQL Injection vulnerability in the tagDiv Opt-In Builder plugin for WordPress, present in all versions up to and including 1.7. The root cause is the insufficient escaping and lack of prepared statements when handling the 'subscriptionCouponId' parameter, which is user-supplied. This flaw allows authenticated attackers with Subscriber-level privileges or higher to append malicious SQL commands to existing queries. The attack vector is network-based with low attack complexity and does not require user interaction. Exploiting this vulnerability enables attackers to extract sensitive information from the backend database by leveraging time delays to infer data, compromising confidentiality. The vulnerability does not affect data integrity or availability, as it is a read-only attack vector. No patches are currently linked, and no known exploits have been reported in the wild, but the presence of this vulnerability in a widely used WordPress plugin poses a significant risk. The CVSS v3.1 score is 6.5, reflecting medium severity with high confidentiality impact, low attack complexity, and requiring low privileges but no user interaction.

The primary impact of CVE-2025-2890 is unauthorized disclosure of sensitive information stored in the WordPress database, which may include user data, subscription details, or other confidential content managed by the tagDiv Opt-In Builder plugin. Since the vulnerability allows SQL Injection via a parameter accessible to authenticated users with Subscriber-level access, attackers who have compromised or created low-privilege accounts can escalate their data access capabilities without needing administrative privileges. This can lead to privacy violations, data leakage, and potential compliance issues for organizations handling personal or financial data. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive information can facilitate further attacks such as phishing, identity theft, or lateral movement within the network. Organizations running WordPress sites with this plugin are at risk, especially those with large subscriber bases or sensitive subscriber information.

1. Apply official patches or updates from tagDiv as soon as they become available to address the SQL Injection vulnerability. 2. Until patches are released, implement strict input validation and sanitization on the 'subscriptionCouponId' parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads. 3. Restrict Subscriber-level user permissions to the minimum necessary and monitor for suspicious account creation or activity. 4. Employ database query parameterization and prepared statements in custom code to prevent SQL Injection. 5. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities. 6. Monitor logs for unusual query patterns or time delays indicative of time-based SQL Injection attempts. 7. Educate site administrators about the risks of installing unverified plugins and maintaining least privilege principles. 8. Consider temporarily disabling or removing the tagDiv Opt-In Builder plugin if immediate patching is not feasible and the risk is unacceptable.