Platform
wordpress
Component
click-pledge-connect
Fixed in
6.8.1
CVE-2025-28983 describes a critical SQL Injection vulnerability discovered in Click & Pledge Connect. This flaw allows attackers to inject malicious SQL code, potentially leading to privilege escalation and unauthorized data access. The vulnerability impacts versions 25.04010101 through WP6.8. A patch is available in version 6.8.1.
Successful exploitation of CVE-2025-28983 could grant an attacker complete control over the Click & Pledge Connect database. This includes the ability to read, modify, or delete sensitive data such as user credentials, financial information, and order details. The attacker could potentially escalate privileges to gain administrative access to the WordPress site hosting the plugin, enabling them to compromise the entire website. This vulnerability shares similarities with other SQL injection attacks where attackers bypass authentication and authorization controls to gain unauthorized access.
CVE-2025-28983 was publicly disclosed on 2025-07-04. The vulnerability's critical CVSS score suggests a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of SQL injection exploitation means it is likely to be developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-28983 is to immediately upgrade Click & Pledge Connect to version 6.8.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attacks. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack.
Update the Click & Pledge Connect plugin to a patched version. Refer to the plugin's release notes or the developer's website for specific instructions on how to update and mitigate the SQL Injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-28983 is a critical SQL Injection vulnerability affecting Click & Pledge Connect, allowing attackers to inject malicious SQL code and potentially gain unauthorized access.
You are affected if you are using Click & Pledge Connect versions 25.04010101 through WP6.8. Upgrade to 6.8.1 to resolve the issue.
Upgrade Click & Pledge Connect to version 6.8.1 or later. Consider implementing a WAF as an interim measure.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Click & Pledge Connect website and security advisory page for the latest information and updates regarding CVE-2025-28983.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.