Platform
wordpress
Component
paid-downloads
Fixed in
3.15.1
CVE-2025-68857 describes a critical SQL Injection vulnerability discovered in the ichurakov Paid Downloads WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 3.15. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Paid Downloads allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database server, requiring them to infer information through trial and error. This can be used to extract sensitive data such as user credentials, payment information, and plugin configuration details. Successful exploitation could lead to complete compromise of the WordPress site and potentially the entire server, depending on database user permissions. The blind nature of the injection makes detection more challenging, as it doesn't generate obvious error messages.
CVE-2025-68857 was publicly disclosed on 2026-01-22. The severity is considered CRITICAL due to the potential for data exfiltration and system compromise. There are currently no known public proof-of-concept exploits, but the nature of blind SQL injection means that exploitation is feasible with sufficient effort. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68857 is to upgrade to a patched version of the Paid Downloads plugin as soon as it becomes available. Until then, implement temporary workarounds. A Web Application Firewall (WAF) configured with rules to detect and block SQL injection attempts targeting the plugin's endpoints is crucial. Carefully review and restrict database user permissions to minimize the impact of a successful attack. Consider implementing input validation and sanitization on all user-supplied data to further reduce the attack surface. Monitor WordPress logs for suspicious database queries.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68857 is a critical SQL Injection vulnerability affecting the ichurakov Paid Downloads plugin for WordPress, allowing attackers to potentially extract data via blind SQL injection.
If you are using the Paid Downloads plugin in WordPress versions 0.0.0 through 3.15, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the Paid Downloads plugin. Until then, implement WAF rules and restrict database user permissions.
While no public exploits are currently known, the nature of blind SQL injection means exploitation is feasible, and proactive mitigation is recommended.
Refer to the ichurakov Paid Downloads plugin website and WordPress.org plugin repository for official advisories and updates regarding CVE-2025-68857.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.