Super Simple Subscriptions CVE-2025-30523
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Marcel-NL Super Simple Subscriptions allows SQL Injection. This issue affects Super Simple Subscriptions: from n/a through 1.1.0.
AnalysisAI
SQL injection in Super Simple Subscriptions WordPress plugin through version 1.1.0 allows high-privileged administrators to extract database contents and potentially cause service disruption. The vulnerability requires authenticated admin access (PR:H) but enables cross-scope impact (S:C), allowing compromise beyond the plugin's normal boundaries to potentially access WordPress database tables containing user credentials, payment data, or other sensitive information. With EPSS at 0.21% (44th percentile) and no confirmed active exploitation, this represents a moderate insider threat or account compromise scenario rather than an immediate mass-exploitation risk.
Technical ContextAI
This is a CWE-89 SQL injection vulnerability in the Super Simple Subscriptions WordPress plugin, a subscription management tool for WordPress sites. SQL injection occurs when user-supplied input is concatenated directly into SQL queries without proper sanitization or parameterized statements. The CVSS vector indicates network-based access (AV:N) with low attack complexity (AC:L), meaning the vulnerable endpoint is accessible remotely and exploitation is straightforward once authenticated. The Changed scope (S:C) is particularly significant in WordPress contexts, as it suggests the SQL injection can break out of the plugin's intended database scope to query other WordPress tables including wp_users, wp_postmeta, or custom tables from other plugins. This WordPress plugin likely processes subscription-related admin requests through vulnerable SQL queries in backend administrative functions, common attack surfaces in WordPress plugins with database interaction features.
Affected ProductsAI
WordPress plugin Super Simple Subscriptions versions from earliest release through version 1.1.0 inclusive, developed by Marcel-NL. All installations running version 1.1.0 or earlier are vulnerable. Specific CPE identifiers not provided in available data. The plugin is distributed through the WordPress.org plugin repository and potentially installed on WordPress sites using subscription management features. Vendor advisory and vulnerability details available at Patchstack database reference https://patchstack.com/database/wordpress/plugin/super-simple-subscriptions/vulnerability/wordpress-super-simple-subscriptions-plugin-1-1-0-sql-injection-vulnerability.
RemediationAI
Immediately upgrade Super Simple Subscriptions plugin to version 1.1.1 or later if available through the WordPress admin dashboard or by downloading from the official WordPress.org plugin repository. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/super-simple-subscriptions/vulnerability/wordpress-super-simple-subscriptions-plugin-1-1-0-sql-injection-vulnerability should be consulted for official patch availability status. If no patched version exists yet, implement compensating controls: (1) audit and minimize number of administrator-level accounts with access to plugin settings, (2) enable comprehensive SQL query logging in WordPress database to detect injection attempts, (3) implement web application firewall rules to inspect admin POST requests for SQL metacharacters, though this may cause false positives on legitimate admin operations, (4) consider temporarily disabling the plugin if subscription functionality is not business-critical until patch is released. Review WordPress database logs and admin access logs for period when vulnerability existed to identify potential exploitation attempts targeting plugin endpoints.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today