Platform
wordpress
Component
hcv4-payment-gateway
Fixed in
1.5.12
CVE-2025-52773 describes a SQL Injection vulnerability discovered in the HieCOR Payment Gateway Plugin for WordPress. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and gaining unauthorized access to the database. The vulnerability impacts versions from 0 through 1.5.11, and a patch is available in version 1.5.12.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive customer data, including payment information, personal details, and order history. Furthermore, an attacker could modify data, insert malicious content, or even gain administrative access to the WordPress site. The blast radius extends to all users who have interacted with the payment gateway, making it a high-priority concern for e-commerce businesses using this plugin. This type of SQL injection can be particularly damaging as it often bypasses standard security measures.
CVE-2025-52773 was publicly disclosed on 2025-11-06. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. No public proof-of-concept (POC) code has been identified at the time of writing, but the ease of SQL injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-52773 is to immediately upgrade the HieCOR Payment Gateway Plugin to version 1.5.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Additionally, review and restrict database user permissions to limit the impact of a successful attack. Monitor WordPress access logs for suspicious SQL queries. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Update the HieCOR Payment Gateway plugin to the latest available version to mitigate the SQL Injection vulnerability. Check for updates in the WordPress repository or contact the plugin developer for more information about the patched version. Implement additional security measures, such as user input validation and sanitization, to prevent future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52773 is a critical SQL Injection vulnerability affecting the HieCOR Payment Gateway Plugin for WordPress, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using the HieCOR Payment Gateway Plugin in versions 0 through 1.5.11. Upgrade to version 1.5.12 or later to mitigate the risk.
The recommended fix is to upgrade the HieCOR Payment Gateway Plugin to version 1.5.12 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL queries.
While no public exploits have been confirmed, the ease of SQL injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Please refer to the HieCOR Payment Gateway Plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.