CVE-2025-28942 identifies a critical SQL Injection vulnerability in the Trust Payments Gateway for WooCommerce plugin, specifically in the trust-payments-hosted-payment-pages-integration component. The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing attackers to inject arbitrary SQL code. This can lead to unauthorized database queries, enabling attackers to read sensitive payment and customer data, modify database contents, or disrupt the payment processing functionality. The affected versions include all releases up to and including 1.1.4. The vulnerability does not require prior authentication, increasing the risk of exploitation by remote attackers. Although no known exploits are currently reported, the nature of SQL Injection vulnerabilities makes them attractive targets for attackers seeking to compromise e-commerce platforms. WooCommerce is a widely used WordPress plugin for e-commerce, and Trust Payments Gateway is a payment processing extension, making this vulnerability particularly concerning for online merchants relying on this payment gateway. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics and potential impact.

The potential impact of CVE-2025-28942 is significant for organizations using the Trust Payments Gateway for WooCommerce. Successful exploitation can lead to unauthorized access to sensitive payment and customer information, resulting in data breaches and financial fraud. Attackers could manipulate or delete transaction records, undermining the integrity of payment processing and causing operational disruptions. This may lead to loss of customer trust, regulatory penalties, and financial losses. The vulnerability could also be leveraged as a foothold for further attacks within the affected organization's network. Given WooCommerce's extensive use in global e-commerce, the scope of affected systems is broad, potentially impacting small to large online retailers. The ease of exploitation without authentication and the critical nature of payment data elevate the threat level. Organizations failing to address this vulnerability risk severe reputational damage and compliance violations, especially under data protection regulations like GDPR and PCI DSS.

To mitigate CVE-2025-28942, organizations should immediately monitor for updates and apply vendor patches as soon as they become available. In the absence of a patch, implement strict input validation and sanitization on all user-supplied data interacting with the Trust Payments Gateway plugin. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting WooCommerce and payment gateway endpoints. Conduct thorough code reviews and penetration testing focusing on SQL Injection vectors within the payment integration. Limit database user privileges associated with the plugin to the minimum necessary to reduce potential damage from exploitation. Maintain regular backups of payment and transaction data to enable recovery in case of data corruption or loss. Educate development and security teams about secure coding practices and the risks of SQL Injection. Finally, monitor logs for suspicious database queries or anomalies indicative of exploitation attempts.