CVE-2025-58789 is a high-severity SQL Injection vulnerability (CWE-89) affecting the WordPress plugin WP Full Stripe Free developed by Themeisle, up to version 8.3.0. This vulnerability arises from improper neutralization of special elements used in SQL commands, allowing an attacker with high privileges (PR:H) to inject malicious SQL code remotely (AV:N) without requiring user interaction (UI:N). The vulnerability has a CVSS 3.1 score of 7.6, indicating a significant risk. The scope is classified as changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Although the integrity impact is rated none (I:N), the confidentiality impact is high (C:H), and availability impact is low (A:L). This suggests that attackers can exfiltrate sensitive data from the database but cannot modify data or cause significant service disruption. Exploitation requires authenticated access with high privileges, such as an administrator or a user with elevated rights within the WordPress environment. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to extract sensitive information stored in the backend database, such as customer payment details or personal data, which is critical given the plugin’s role in handling payment processing via Stripe integration. The lack of user interaction and network-based attack vector increases the risk of exploitation in compromised or insider-threat scenarios. The vulnerability affects all installations of WP Full Stripe Free up to version 8.3.0, which is a popular plugin for managing Stripe payments on WordPress sites.

For European organizations, this vulnerability poses a significant risk, especially for businesses relying on WP Full Stripe Free to handle online payments and customer financial data. Successful exploitation could lead to unauthorized disclosure of sensitive payment information, violating GDPR requirements for data protection and potentially resulting in regulatory fines and reputational damage. The confidentiality breach could expose customer credit card details or personal identifiers, increasing the risk of fraud and identity theft. Although the vulnerability does not allow data modification or deletion, the loss of confidentiality alone is critical in the financial context. Additionally, organizations with multi-tenant WordPress environments or those with multiple administrators are at higher risk due to the requirement for high privilege authentication. The vulnerability could also be leveraged in targeted attacks against e-commerce platforms, charities, or service providers using this plugin, impacting business continuity and customer trust. Given the plugin’s widespread use in Europe, the threat could affect a broad range of sectors including retail, hospitality, and non-profits.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence of WP Full Stripe Free plugin versions up to 8.3.0. Until an official patch is released, organizations should consider the following specific actions: 1) Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2) Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious SQL injection patterns targeting the plugin’s endpoints. 3) Conduct thorough logging and monitoring of database queries and administrative actions to detect anomalous behavior indicative of exploitation attempts. 4) If feasible, temporarily disable or replace the plugin with alternative payment processing solutions that do not exhibit this vulnerability. 5) Regularly update WordPress core and all plugins, and subscribe to vendor advisories for timely patch releases. 6) Perform security code reviews or penetration testing focused on SQL injection vectors in the plugin’s integration points. 7) Limit database user permissions associated with WordPress to the minimum necessary to reduce potential damage from injection attacks. These targeted measures go beyond generic advice by focusing on access control, monitoring, and compensating controls until a patch is available.