Description
The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection leading to information disclosure
Action: Patch Now
AI Analysis

Impact

The ZIP Code Based Content Protection plugin for WordPress contains an unauthenticated SQL injection flaw in the 'zipcode' parameter. Because the plugin does not properly escape user input or use prepared statements, an attacker can inject malicious SQL statements, allowing arbitrary queries against the site's database and extraction of confidential data such as user credentials or site configuration.

Affected Systems

Presstigers’ ZIP Code Based Content Protection WordPress plugin is affected. All released versions up to and including 1.0.2 contain the vulnerability. WordPress sites that have this plugin installed and have not upgraded to a newer version are at risk.

Risk and Exploitability

The flaw has a CVSS score of 7.5, indicating high severity. The EPSS score is less than 1 %, suggesting that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the injection is unauthenticated and can be triggered via a simple HTTP request to the 'zipcode' parameter, an attacker can easily exploit it from any location.

Generated by OpenCVE AI on April 21, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ZIP Code Based Content Protection plugin to version 1.0.3 or later.
  • If an upgrade is not immediately possible, block or filter the 'zipcode' parameter at the web server or via a WAF to prevent arbitrary SQL execution.
  • Disable the plugin entirely if the zip-code feature is not required for site functionality.

Generated by OpenCVE AI on April 21, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Presstigers
Presstigers zip Code Based Content Protection
Wordpress
Wordpress wordpress
Vendors & Products Presstigers
Presstigers zip Code Based Content Protection
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Presstigers Zip Code Based Content Protection
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:46.220Z

Reserved: 2025-12-09T16:27:04.114Z

Link: CVE-2025-14353

cve-icon Vulnrichment

Updated: 2026-03-09T19:12:43.783Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-07T02:16:09.017

Modified: 2026-03-09T13:35:34.633

Link: CVE-2025-14353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses