Skip to main content

Super Simple Subscriptions CVE-2025-30523

HIGH
SQL Injection (CWE-89)
2025-03-24 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:20 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Marcel-NL Super Simple Subscriptions allows SQL Injection. This issue affects Super Simple Subscriptions: from n/a through 1.1.0.

AnalysisAI

SQL injection in Super Simple Subscriptions WordPress plugin through version 1.1.0 allows high-privileged administrators to extract database contents and potentially cause service disruption. The vulnerability requires authenticated admin access (PR:H) but enables cross-scope impact (S:C), allowing compromise beyond the plugin's normal boundaries to potentially access WordPress database tables containing user credentials, payment data, or other sensitive information. With EPSS at 0.21% (44th percentile) and no confirmed active exploitation, this represents a moderate insider threat or account compromise scenario rather than an immediate mass-exploitation risk.

Technical ContextAI

This is a CWE-89 SQL injection vulnerability in the Super Simple Subscriptions WordPress plugin, a subscription management tool for WordPress sites. SQL injection occurs when user-supplied input is concatenated directly into SQL queries without proper sanitization or parameterized statements. The CVSS vector indicates network-based access (AV:N) with low attack complexity (AC:L), meaning the vulnerable endpoint is accessible remotely and exploitation is straightforward once authenticated. The Changed scope (S:C) is particularly significant in WordPress contexts, as it suggests the SQL injection can break out of the plugin's intended database scope to query other WordPress tables including wp_users, wp_postmeta, or custom tables from other plugins. This WordPress plugin likely processes subscription-related admin requests through vulnerable SQL queries in backend administrative functions, common attack surfaces in WordPress plugins with database interaction features.

Affected ProductsAI

WordPress plugin Super Simple Subscriptions versions from earliest release through version 1.1.0 inclusive, developed by Marcel-NL. All installations running version 1.1.0 or earlier are vulnerable. Specific CPE identifiers not provided in available data. The plugin is distributed through the WordPress.org plugin repository and potentially installed on WordPress sites using subscription management features. Vendor advisory and vulnerability details available at Patchstack database reference https://patchstack.com/database/wordpress/plugin/super-simple-subscriptions/vulnerability/wordpress-super-simple-subscriptions-plugin-1-1-0-sql-injection-vulnerability.

RemediationAI

Immediately upgrade Super Simple Subscriptions plugin to version 1.1.1 or later if available through the WordPress admin dashboard or by downloading from the official WordPress.org plugin repository. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/super-simple-subscriptions/vulnerability/wordpress-super-simple-subscriptions-plugin-1-1-0-sql-injection-vulnerability should be consulted for official patch availability status. If no patched version exists yet, implement compensating controls: (1) audit and minimize number of administrator-level accounts with access to plugin settings, (2) enable comprehensive SQL query logging in WordPress database to detect injection attempts, (3) implement web application firewall rules to inspect admin POST requests for SQL metacharacters, though this may cause false positives on legitimate admin operations, (4) consider temporarily disabling the plugin if subscription functionality is not business-critical until patch is released. Review WordPress database logs and admin access logs for period when vulnerability existed to identify potential exploitation attempts targeting plugin endpoints.

Share

CVE-2025-30523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy