Plataforma
wordpress
Componente
click-pledge-connect
Corrigido em
6.8.1
CVE-2025-28983 describes a critical SQL Injection vulnerability discovered in Click & Pledge Connect. This flaw allows attackers to inject malicious SQL code, potentially leading to privilege escalation and unauthorized data access. The vulnerability impacts versions 25.04010101 through WP6.8. A patch is available in version 6.8.1.
Successful exploitation of CVE-2025-28983 could grant an attacker complete control over the Click & Pledge Connect database. This includes the ability to read, modify, or delete sensitive data such as user credentials, financial information, and order details. The attacker could potentially escalate privileges to gain administrative access to the WordPress site hosting the plugin, enabling them to compromise the entire website. This vulnerability shares similarities with other SQL injection attacks where attackers bypass authentication and authorization controls to gain unauthorized access.
CVE-2025-28983 was publicly disclosed on 2025-07-04. The vulnerability's critical CVSS score suggests a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of SQL injection exploitation means it is likely to be developed. It is not currently listed on the CISA KEV catalog.
Websites utilizing Click & Pledge Connect versions 25.04010101 through WP6.8 are at significant risk. Specifically, sites with weak database security configurations or those running on shared hosting environments are particularly vulnerable, as they may lack the necessary controls to detect and prevent SQL injection attacks.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/click-and-pledge-connect/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=click-and-pledge-connect-admin | grep SQL• database (mysql):
mysql -e "SHOW TABLES LIKE 'clickandpledge%';" -u your_db_user -p• wordpress / composer / npm:
wp plugin list | grep click-and-pledge-connectdisclosure
Status do Exploit
EPSS
0.06% (percentil 17%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-28983 is to immediately upgrade Click & Pledge Connect to version 6.8.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attacks. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack.
Actualice el plugin Click & Pledge Connect a una versión corregida. Consulte las notas de la versión del plugin o el sitio web del desarrollador para obtener instrucciones específicas sobre cómo actualizar y mitigar la vulnerabilidad de inyección SQL.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-28983 is a critical SQL Injection vulnerability affecting Click & Pledge Connect, allowing attackers to inject malicious SQL code and potentially gain unauthorized access.
You are affected if you are using Click & Pledge Connect versions 25.04010101 through WP6.8. Upgrade to 6.8.1 to resolve the issue.
Upgrade Click & Pledge Connect to version 6.8.1 or later. Consider implementing a WAF as an interim measure.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Click & Pledge Connect website and security advisory page for the latest information and updates regarding CVE-2025-28983.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.