Introduction
Attackers can remotely extract sensitive information from WordPress databases using a critical flaw in a popular payment plugin. CVE-2025-9322 affects the Stripe Payment Forms by WP Full Pay plugin, which is widely deployed for handling credit card payments, donations, and subscriptions on WordPress sites. The vulnerability enables unauthenticated SQL injection via a user-supplied parameter, putting thousands of sites at risk until patched.
About WP Full Pay and Themeisle: WP Full Pay is a Stripe-verified payment solution for WordPress, now part of the Themeisle family. Themeisle is a major WordPress ecosystem vendor with millions of users and a broad portfolio of plugins and themes, making this vulnerability particularly impactful across the WordPress landscape.
Technical Information
CVE-2025-9322 is an unauthenticated SQL injection vulnerability in the Stripe Payment Forms by WP Full Pay plugin for WordPress. The flaw exists in all versions up to and including 8.3.1. The vulnerability arises from insufficient escaping and lack of prepared statements for the 'wpfs-form-name' parameter. When this parameter is included in a request, its value is directly incorporated into an SQL query without adequate sanitization. This allows an attacker to append arbitrary SQL, which the database then executes with the plugin's privileges.
The root cause is improper input handling: user data is not properly escaped or parameterized before being used in SQL queries. This classic SQL injection scenario enables attackers to manipulate queries, potentially retrieving sensitive information such as user data or payment records from the WordPress database. The attack can be performed remotely and does not require authentication, increasing its risk profile. No public code snippets or proof of concept are available for this vulnerability.
Affected Systems and Versions
- Product: Stripe Payment Forms by WP Full Pay plugin for WordPress
- Affected versions: All versions up to and including 8.3.1
- Vulnerable parameter: 'wpfs-form-name'
- No specific configuration is required for exploitation beyond running a vulnerable plugin version
Vendor Security History
WP Full Pay, now under Themeisle, has not shown a chronic pattern of SQL injection issues in public sources. The plugin is Stripe-verified and has a large user base. The vendor responded to this vulnerability with a patch after public disclosure. Themeisle's involvement indicates a mature support and security process.
