CVE-2025-9322 identifies a critical SQL Injection vulnerability in the Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions WordPress plugin developed by themeisle. The vulnerability exists in all versions up to and including 8.3.1 due to improper neutralization of special elements in the 'wpfs-form-name' parameter. Specifically, the plugin fails to sufficiently escape user-supplied input and does not use prepared statements or parameterized queries when constructing SQL commands. This allows unauthenticated attackers to inject arbitrary SQL code by appending malicious queries to the existing SQL statement. Exploitation can lead to unauthorized disclosure of sensitive information stored in the backend database, such as user data, payment details, or configuration settings. The vulnerability requires no authentication or user interaction, making it highly accessible to remote attackers. The CVSS v3.1 base score is 7.5, reflecting the network attack vector, low attack complexity, no privileges required, and high impact on confidentiality, while integrity and availability remain unaffected. No public exploits have been reported yet, but the vulnerability's nature and the plugin's widespread use in WordPress payment processing make it a significant threat. The lack of official patches at the time of disclosure necessitates immediate mitigation efforts by site administrators.

The primary impact of CVE-2025-9322 is the potential unauthorized disclosure of sensitive data from the affected WordPress site's database. Attackers can exploit the SQL Injection flaw to extract confidential information such as customer payment details, personal user data, and administrative credentials. This can lead to data breaches, financial fraud, identity theft, and reputational damage for organizations. Since the plugin is used for payment processing, exploitation could undermine trust in e-commerce platforms and lead to regulatory compliance violations (e.g., PCI DSS, GDPR). The vulnerability does not directly impact data integrity or availability, but the exposure of sensitive data alone can have severe consequences. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate attacks at scale, potentially compromising numerous sites globally. Organizations relying on this plugin for donations, subscriptions, or credit card payments face heightened risk, especially if they have not applied mitigations or updates. The absence of known exploits in the wild currently provides a window for proactive defense, but the threat landscape may evolve rapidly.

1. Immediate action should be to update the Stripe Payment Forms by WP Full Pay plugin to a patched version once released by themeisle. Monitor official channels for patch announcements. 2. If no patch is available, consider temporarily disabling the plugin to prevent exploitation. 3. Implement web application firewall (WAF) rules that specifically detect and block SQL Injection attempts targeting the 'wpfs-form-name' parameter. 4. Employ input validation and sanitization at the application level to reject suspicious characters or patterns in form inputs. 5. Review and harden database permissions to limit the plugin's database user privileges, reducing potential data exposure. 6. Monitor database logs and web server logs for unusual query patterns or repeated access attempts to the vulnerable parameter. 7. Conduct security audits and penetration testing focused on SQL Injection vectors in WordPress plugins. 8. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 9. Consider isolating payment processing components or migrating to alternative, well-maintained payment plugins with strong security track records. 10. Backup critical data regularly to enable recovery in case of compromise.