CVE-2025-9463 is a medium-severity SQL Injection vulnerability affecting the Payments Plugin and Checkout Plugin for WooCommerce that integrates payment gateways such as Stripe, PayPal, Square, and Authorize.net. The vulnerability exists in all versions up to and including 1.117.5 of the peachpay plugin for WordPress. It arises due to improper neutralization of special elements in the 'order_by' parameter, which is insufficiently escaped and improperly handled in SQL queries. This flaw enables authenticated attackers with at least Subscriber-level access to inject additional SQL commands into existing queries. The injection is time-based, allowing attackers to infer sensitive data from the database by measuring response delays. Notably, no user interaction beyond authentication is required, and the attack vector is network-based with low attack complexity. The vulnerability impacts confidentiality by potentially exposing sensitive information stored in the database, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The CVSS v3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no integrity or availability impact.

For European organizations, this vulnerability poses a significant risk to the confidentiality of customer and transaction data processed through WooCommerce sites using the affected peachpay plugin. Given the widespread use of WooCommerce and the popularity of payment gateways like Stripe and PayPal in Europe, exploitation could lead to unauthorized disclosure of personal data, payment details, and other sensitive information. This could result in regulatory non-compliance with GDPR, reputational damage, and potential financial losses. Since the vulnerability requires only subscriber-level authentication, attackers could leverage compromised or weak user credentials to exploit the flaw. The impact is particularly critical for e-commerce businesses, financial services, and any organization relying on WordPress-based online stores. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone is sufficient to cause severe operational and legal consequences in the European context.

European organizations should immediately audit their WordPress environments to identify installations of the peachpay Payments and Checkout Plugin for WooCommerce up to version 1.117.5. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict user roles and permissions rigorously, ensuring that only trusted users have Subscriber-level or higher access to the WordPress backend. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns, particularly targeting the 'order_by' parameter in plugin-related requests. 3) Conduct regular security scans focusing on SQL injection vulnerabilities and anomalous database query patterns. 4) Monitor logs for unusual delays or errors indicative of time-based SQL injection attempts. 5) Consider temporarily disabling or replacing the affected plugin if feasible until a patch is available. 6) Enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 7) Keep all WordPress core and plugin components updated and subscribe to vendor advisories for timely patch deployment.