CVE-2025-48141

| EUVD-2025-17533 CRITICAL
2025-06-09 [email protected]
SQLi Information Disclosure
9.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17533
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.3

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alex Zaytseff Multi CryptoCurrency Payments allows SQL Injection. This issue affects Multi CryptoCurrency Payments: from n/a through 2.0.3.

AnalysisAI

Critical SQL injection vulnerability in Alex Zaytseff's Multi CryptoCurrency Payments plugin (versions up to 2.0.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no privileges required, enabling attackers to extract sensitive data including cryptocurrency transaction records, user credentials, and payment information. The high CVSS combined with an unauthenticated, low-complexity attack vector suggests this is a high-priority vulnerability with significant real-world exploitation risk.

Technical ContextAI

The vulnerability exists in the Multi CryptoCurrency Payments plugin (CPE identifiers: software for processing cryptocurrency transactions through WordPress/e-commerce platforms). The root cause is CWE-89 (Improper Neutralization of Special Elements in SQL Command), indicating that user-supplied input is not properly sanitized before being incorporated into SQL queries. This is a classical SQL injection flaw where an attacker can manipulate query logic by injecting SQL metacharacters and commands. The affected product processes cryptocurrency payment data, making it particularly attractive as the injected queries could access wallet addresses, transaction hashes, user payment history, and potentially stored private keys or sensitive authentication tokens.

RemediationAI

Upgrade to version 2.0.4 or later (assuming this version or higher contains the fix; verify with vendor); priority: IMMEDIATE Vendor Advisory: Check Alex Zaytseff's official security advisory and plugin repository for patched versions. Update immediately upon availability.; details: Recommend contacting the vendor directly if patches are not yet released Workaround (Temporary): If patching is not immediately possible: (1) Disable the Multi CryptoCurrency Payments plugin; (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in requests to the plugin's endpoints; (3) Apply strict input validation at the WAF level for cryptocurrency payment forms; details: These are temporary mitigations only and do not address the underlying vulnerability Detection: Monitor logs for suspicious SQL syntax in plugin requests (e.g., UNION SELECT, OR 1=1, comment sequences); check transaction logs and payment records for unauthorized access Incident Response: If the plugin was running on production systems prior to patching, conduct forensic analysis to determine if cryptocurrency wallets, user data, or payment information were accessed or exfiltrated

Share

CVE-2025-48141 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy