Platform
wordpress
Component
hcv4-payment-gateway
Opgelost in
1.5.12
CVE-2025-52773 describes a SQL Injection vulnerability discovered in the HieCOR Payment Gateway Plugin for WordPress. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and gaining unauthorized access to the database. The vulnerability impacts versions from 0 through 1.5.11, and a patch is available in version 1.5.12.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive customer data, including payment information, personal details, and order history. Furthermore, an attacker could modify data, insert malicious content, or even gain administrative access to the WordPress site. The blast radius extends to all users who have interacted with the payment gateway, making it a high-priority concern for e-commerce businesses using this plugin. This type of SQL injection can be particularly damaging as it often bypasses standard security measures.
CVE-2025-52773 was publicly disclosed on 2025-11-06. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. No public proof-of-concept (POC) code has been identified at the time of writing, but the ease of SQL injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. It is not currently listed on the CISA KEV catalog.
E-commerce businesses and online stores utilizing the HieCOR Payment Gateway Plugin are at significant risk. Specifically, those running older, unpatched versions (0–1.5.11) are particularly vulnerable. Shared hosting environments where multiple WordPress sites share the same database are also at heightened risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "hcv4-payment-gateway" /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/hiecor-payment-gateway/ | grep SQL• wordpress / composer / npm:
wp plugin list --status=inactive | grep hiecordisclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-52773 is to immediately upgrade the HieCOR Payment Gateway Plugin to version 1.5.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Additionally, review and restrict database user permissions to limit the impact of a successful attack. Monitor WordPress access logs for suspicious SQL queries. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Actualice el plugin HieCOR Payment Gateway a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones en el repositorio de WordPress o contacte al desarrollador del plugin para obtener más información sobre la versión corregida. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-52773 is a critical SQL Injection vulnerability affecting the HieCOR Payment Gateway Plugin for WordPress, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using the HieCOR Payment Gateway Plugin in versions 0 through 1.5.11. Upgrade to version 1.5.12 or later to mitigate the risk.
The recommended fix is to upgrade the HieCOR Payment Gateway Plugin to version 1.5.12 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL queries.
While no public exploits have been confirmed, the ease of SQL injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Please refer to the HieCOR Payment Gateway Plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.