CVE-2025-58789 is a high-severity SQL Injection vulnerability (CWE-89) found in the Themeisle WP Full Stripe Free WordPress plugin, affecting versions up to and including 8.3.0. This vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with high privileges on the WordPress site to inject malicious SQL code. The CVSS 3.1 score of 7.6 reflects a network exploitable vulnerability with low attack complexity but requiring high privileges and no user interaction. The scope is changed, indicating that exploitation can affect resources beyond the initially vulnerable component. The impact on confidentiality is high, as attackers can extract sensitive data from the database, but integrity impact is none and availability impact is low. Since the vulnerability requires high privileges, it is not exploitable by unauthenticated users but could be leveraged by insiders or through chained attacks where initial access is gained by other means. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability affects the WP Full Stripe Free plugin, which is used to integrate Stripe payment processing into WordPress sites. The plugin’s improper input sanitization in SQL queries could allow attackers to manipulate database queries, potentially exposing customer payment data or other sensitive information stored in the database. Given the plugin’s role in handling payment data, the confidentiality impact is critical, as leakage of payment or personal data could lead to financial fraud or regulatory non-compliance. The vulnerability’s exploitation could also lead to partial denial of service due to database query manipulation, though integrity impact is not indicated. The vulnerability is particularly concerning for organizations relying on WordPress e-commerce or donation platforms using this plugin, as it could compromise customer trust and lead to legal liabilities under data protection regulations.

For European organizations, this vulnerability poses significant risks due to the widespread use of WordPress for business websites and e-commerce platforms. Organizations handling payment processing via the WP Full Stripe Free plugin could face data breaches exposing customer payment details and personal information, leading to financial losses and reputational damage. The high confidentiality impact raises concerns under the EU’s GDPR, which mandates strict protection of personal data and imposes heavy fines for breaches. Additionally, the partial availability impact could disrupt payment processing services, affecting business continuity. Since the vulnerability requires high privileges, insider threats or compromised administrator accounts could be leveraged to exploit this issue. European organizations with limited patch management capabilities or those using outdated plugin versions are at higher risk. The lack of a patch at the time of disclosure increases the urgency for mitigation. The vulnerability also highlights the importance of securing WordPress environments and monitoring for suspicious database activity. Overall, the threat could impact financial institutions, e-commerce businesses, NGOs collecting donations, and any organization using the affected plugin for payment integration.

1. Immediate mitigation should include restricting administrative access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege escalation. 2. Monitor database logs and WordPress activity logs for unusual or suspicious SQL queries that could indicate attempted exploitation. 3. Disable or remove the WP Full Stripe Free plugin if it is not essential or replace it with a fully patched alternative payment integration plugin. 4. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns related to the plugin’s known vulnerable endpoints to block exploitation attempts. 5. Regularly update WordPress core, plugins, and themes to the latest versions once a patch for this vulnerability is released by Themeisle. 6. Conduct security audits and penetration testing focusing on WordPress plugins handling payment data to identify similar vulnerabilities. 7. Limit database user permissions associated with WordPress to the minimum necessary to reduce potential damage from SQL injection. 8. Educate administrators and developers about secure coding practices and the risks of SQL injection to prevent future vulnerabilities.