Platform
wordpress
Component
multi-crypto-currency-payment
Fixed in
2.0.8
CVE-2025-48141 describes a SQL Injection vulnerability discovered in Multi CryptoCurrency Payments, a WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire system. The vulnerability affects versions from 0.0.0 through 2.0.7, and a fix is available in version 2.0.4.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read, modify, or delete data within the database. This includes sensitive information such as user credentials, transaction details, and potentially cryptocurrency wallet information. Depending on the database structure and permissions, an attacker might also be able to execute arbitrary commands on the underlying server, leading to complete system compromise. The impact is particularly severe given the plugin's purpose – handling cryptocurrency payments, which inherently involves high-value financial data. A similar SQL Injection vulnerability in a financial plugin could lead to significant financial losses and reputational damage.
CVE-2025-48141 was publicly disclosed on 2025-06-09. The vulnerability's severity is considered CRITICAL due to the potential for complete system compromise. As of this writing, there are no publicly available proof-of-concept exploits, but the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48141 is to immediately upgrade Multi CryptoCurrency Payments to version 2.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with SQL Injection protection rules. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Monitor database logs for suspicious SQL queries that might indicate an attempted exploitation. Implement strict database user permissions to limit the potential damage from a successful attack. After upgrade, confirm by attempting a series of SQL injection payloads through the plugin's interface to ensure the vulnerability is resolved.
Update the Multi CryptoCurrency Payments plugin to a version later than 2.0.7 to mitigate the SQL Injection vulnerability. Check the plugin page on WordPress.org for the latest available version and follow the update instructions provided by the developer. Ensure you back up your website before performing any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48141 is a critical SQL Injection vulnerability affecting Multi CryptoCurrency Payments versions 0.0.0–2.0.7, allowing attackers to inject malicious SQL code and potentially compromise the database.
If you are using Multi CryptoCurrency Payments version 0.0.0 through 2.0.7 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade Multi CryptoCurrency Payments to version 2.0.4 or later to remediate the SQL Injection vulnerability. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.