CVE-2025-9322 is an SQL Injection vulnerability classified under CWE-89 that affects the WordPress plugin 'Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions' developed by themeisle. The vulnerability exists in all plugin versions up to and including 8.3.1 due to insufficient escaping and lack of proper parameterized queries on the 'wpfs-form-name' HTTP parameter. This parameter is user-supplied and directly incorporated into SQL queries without adequate sanitization, enabling attackers to append arbitrary SQL code. The vulnerability can be exploited remotely by unauthenticated attackers without any user interaction, making it highly accessible. Successful exploitation allows attackers to extract sensitive information from the backend database, compromising confidentiality. The CVSS v3.1 base score is 7.5, reflecting high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the nature of SQL Injection vulnerabilities and the widespread use of WordPress and this plugin in e-commerce contexts make this a critical concern. The lack of available patches at the time of disclosure increases the urgency for interim mitigations.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive customer and payment data stored in WordPress databases. Exploitation could lead to unauthorized data disclosure, including payment details, personal information, and business-sensitive records. This can result in financial losses, regulatory penalties under GDPR for data breaches, reputational damage, and loss of customer trust. Organizations relying on this plugin for payment processing or donation collection are particularly at risk. The vulnerability's ease of exploitation by unauthenticated attackers increases the likelihood of attacks, especially targeting small to medium enterprises that may lack robust security monitoring. Additionally, the exposure of payment-related data could facilitate further fraud or identity theft. The impact on availability and integrity is minimal, but confidentiality breaches alone are critical in the payment processing context.

1. Immediately identify and inventory all WordPress instances using the 'Stripe Payment Forms by WP Full Pay' plugin. 2. Disable or deactivate the plugin temporarily if patching is not yet available to prevent exploitation. 3. Monitor official themeisle channels and CVE databases for patch releases and apply updates promptly once available. 4. Implement Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the 'wpfs-form-name' parameter, using signature-based and anomaly detection methods. 5. Conduct thorough security audits and database access reviews to detect any signs of compromise. 6. Harden WordPress installations by restricting database user permissions to the minimum necessary, preventing excessive data exposure if exploited. 7. Educate site administrators on the risks of installing unvetted plugins and encourage regular plugin updates. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attacks in real time. 9. Review and enhance logging and alerting mechanisms to quickly identify suspicious activities related to SQL Injection attempts.