CVE-2025-2221 Scanner

WordPress is a widely used content management system (CMS) that powers millions of websites worldwide. Plugins like WPCOM Member extend its functionality by providing additional features for membership sites. Many small to medium businesses and independent website developers use such plugins to manage subscription-based content access. The WPCOM Member plugin allows site administrators to control user accounts, membership levels, and other related functionalities. By supporting various access controls, this plugin is integral in ensuring that only permitted users can access specific site content. Its ease of use and integration with WordPress makes it a popular choice among website managers looking to enhance their site's capabilities.

The SQL Injection vulnerability detected in WPCOM Member Plugin allows attackers to inject malicious SQL queries through the 'user_phone' parameter. Such a flaw can lead unauthorized users to extract sensitive database information by manipulating SQL commands. The vulnerability impacts the integrity and confidentiality of data within the WordPress installation using this plugin. Attackers can exploit this issue to bypass application security layers, thereby accessing restricted areas of the database. The vulnerability results from insufficient escaping and lack of preparation on the parameter in admin-ajax.php. This exposes websites using the WPCOM Member plugin to significant risks.

Technically, the vulnerability arises from the 'user_phone' parameter in HTTP POST requests to admin-ajax.php, where the input is not properly escaped. The crafted payload is constructed to exploit the time-based nature of the SQL Injection, by including a sleep command within the injected SQL query. When executed, this payload prompts an extended delay in server response, indicating successful exploitation. The inclusion of a nonce field also plays a role in verifying the request, though it can be trivially bypassed. This process allows hackers to ascertain the presence of a vulnerability without direct database access. The consequence of this unchecked input manipulation leads to unauthorized database access.

When exploited, the SQL Injection vulnerability may lead to an extensive data breach. Malicious actors could fetch sensitive information such as usernames, email addresses, and hashed passwords. Health data, financial records, or any other sensitive information stored in the database might also be leaked. Privacy violations could result in reputation damage for the site owner, authors, or businesses running on the WordPress platform. Moreover, attackers might leverage this access to escalate privileges or deploy additional attack phases such as data modification or even site takeover. Overall, the impact can range from minor information leaks to severe system compromise.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpcom-member/wpcom-member-176-unauthenticated-sql-injection
• https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.6/includes/class-sesstion.php#L35
• https://nvd.nist.gov/vuln/detail/CVE-2025-2221