CVE Alert: CVE-2025-9322 – themeisle – Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
CVE-2025-9322
The Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress is vulnerable to SQL Injection via the ‘wpfs-form-name’ parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Summary Analysis
Risk verdict
High risk: unauthenticated, network-facing SQL injection could lead to exposure of sensitive data from affected sites.
Why this matters
The flaw allows an attacker to append arbitrary SQL to existing queries, potentially leaking customer data stored in the database. With no authentication or user interaction required, even opportunistic scans could trigger data disclosures on exposed sites that use the vulnerable form.
Most likely attack path
An attacker targets a publicly accessible endpoint that accepts the wpfs-form-name parameter, sending crafted input to bypass escaping. Because authentication and user interaction are not required, exploitation can be attempted remotely with minimal preconditions, relying on the attacker’s ability to induce a vulnerable query to expose data. The impact is strictly confidentiality (high); no direct integrity or availability degradation is indicated.
Who is most exposed
WordPress sites that have the affected plugin installed, especially public-facing e-commerce or donation pages that process Stripe payments, and sites on shared or protected hosting with exposed web endpoints.
Detection ideas
- Logs showing unusual values in the form-name parameter or SQL-like payloads in requests.
- DB query logs or error logs indicating malformed or injected SQL via the vulnerable parameter.
- WAF alerts for atypical SQL injection patterns targeting the endpoint.
- Rapid spikes in data export attempts or unusual data access patterns from the database.
Mitigation and prioritisation
- Apply patch or upgrade to the fixed version as soon as available; if not feasible, disable the vulnerable endpoint or plugin temporarily.
- Implement WAF/IPS rules to block SQL injection attempts targeting the form-name parameter; tighten input validation.
- Harden database access paths and enable enhanced DB activity logging; restrict excessive data exposure.
- Schedule a deployment window for remediation with testing in staging; communicate potential site impact to stakeholders.
- If KEV or EPSS indicators emerge in future feeds, treat as priority 1.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
