CVE-2026-28115 identifies a Blind SQL Injection vulnerability in the WP Attractive Donations System - Easy Stripe & Paypal donations plugin for WordPress, developed by loopus. The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing attackers to inject arbitrary SQL code into database queries. Blind SQL Injection means the attacker can infer database information by sending crafted requests and analyzing responses, even without direct error messages. This plugin, which facilitates donation processing via Stripe and PayPal, is affected in all versions up to 1.25. The vulnerability does not require prior authentication, increasing the risk of exploitation by remote attackers. No patches or fixes have been released as of the publication date, and no known exploits have been observed in the wild. The plugin’s widespread use in WordPress environments makes this a significant concern, as successful exploitation could lead to unauthorized data disclosure, data modification, or even full database compromise. The lack of a CVSS score necessitates a severity assessment based on the potential impact and exploitability. Given the critical role of donation data and payment processing, this vulnerability poses a substantial risk to confidentiality and integrity of data, with potential availability impact if the database is manipulated or corrupted.

The impact of this vulnerability is significant for organizations using the WP Attractive Donations System plugin. Exploitation could allow attackers to extract sensitive donor information, manipulate donation records, or disrupt payment processing workflows. This could lead to financial fraud, reputational damage, and loss of donor trust. Additionally, attackers might leverage the vulnerability to escalate privileges within the WordPress environment or pivot to other parts of the network. Since the vulnerability does not require authentication, any public-facing WordPress site with this plugin is at risk. The potential for data leakage or unauthorized modification could also have compliance implications, especially for organizations subject to data protection regulations such as GDPR or PCI DSS. The absence of a patch increases the window of exposure, making timely mitigation critical. Overall, the threat could disrupt donation operations and compromise sensitive financial and personal data globally.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations to identify if the WP Attractive Donations System plugin is in use. If found, consider disabling or uninstalling the plugin until a security patch is released. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting this plugin’s endpoints. Monitor web server and application logs for unusual or suspicious request patterns indicative of SQL injection probes. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Employ input validation and parameterized queries if custom modifications to the plugin are feasible. Regularly back up WordPress site data and databases to enable recovery in case of compromise. Stay informed about vendor updates or security advisories for this plugin and apply patches promptly once available. Additionally, consider isolating donation processing components from other critical systems to reduce lateral movement risk.