Plattform
wordpress
Komponente
paid-downloads
Behoben in
3.15.1
CVE-2025-68857 describes a critical SQL Injection vulnerability discovered in the ichurakov Paid Downloads WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 3.15. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Paid Downloads allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database server, requiring them to infer information through trial and error. This can be used to extract sensitive data such as user credentials, payment information, and plugin configuration details. Successful exploitation could lead to complete compromise of the WordPress site and potentially the entire server, depending on database user permissions. The blind nature of the injection makes detection more challenging, as it doesn't generate obvious error messages.
CVE-2025-68857 was publicly disclosed on 2026-01-22. The severity is considered CRITICAL due to the potential for data exfiltration and system compromise. There are currently no known public proof-of-concept exploits, but the nature of blind SQL injection means that exploitation is feasible with sufficient effort. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the ichurakov Paid Downloads plugin, particularly those running versions 0.0.0 through 3.15, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with weak database user permissions are also at higher risk.
• wordpress / composer / npm:
grep -r "ichurakov Paid Downloads" /var/www/html/
wp plugin list | grep 'Paid Downloads'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/paid-downloads/ | grep 'X-Powered-By'disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68857 is to upgrade to a patched version of the Paid Downloads plugin as soon as it becomes available. Until then, implement temporary workarounds. A Web Application Firewall (WAF) configured with rules to detect and block SQL injection attempts targeting the plugin's endpoints is crucial. Carefully review and restrict database user permissions to minimize the impact of a successful attack. Consider implementing input validation and sanitization on all user-supplied data to further reduce the attack surface. Monitor WordPress logs for suspicious database queries.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68857 is a critical SQL Injection vulnerability affecting the ichurakov Paid Downloads plugin for WordPress, allowing attackers to potentially extract data via blind SQL injection.
If you are using the Paid Downloads plugin in WordPress versions 0.0.0 through 3.15, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the Paid Downloads plugin. Until then, implement WAF rules and restrict database user permissions.
While no public exploits are currently known, the nature of blind SQL injection means exploitation is feasible, and proactive mitigation is recommended.
Refer to the ichurakov Paid Downloads plugin website and WordPress.org plugin repository for official advisories and updates regarding CVE-2025-68857.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.