Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8.
Published: 2025-07-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command allows an attacker to inject malicious SQL code. The vulnerability can elevate a low‑privileged user’s authority, permitting unauthorized data access, modification, or deletion. It is a classic SQL Injection flaw (CWE‑89) that reaches the application’s core functionality.

Affected Systems

The Click & Pledge Connect plugin for WordPress is affected. Any installation using plugin versions from 25.04010101 up through WP6.8 is vulnerable. The problem originates from the database interaction layer of the plugin.

Risk and Exploitability

The CVSS score of 9.8 signals critical severity. The EPSS score is below 1%, indicating a low probability of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Likely attackers would send crafted requests to the plugin’s endpoints as an authenticated user with limited privileges, taking advantage of the SQL injection to gain higher privileges or alter data.

Generated by OpenCVE AI on April 30, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Click & Pledge Connect to the latest release that resolves the SQL injection flaw. If an upgrade is not immediately possible, roll back to a known secure version of the plugin or sandbox the site until the fix can be applied.
  • Configure the database user used by WordPress to have strictly the minimum privileges required for normal operation; avoid granting EXECUTE or ALTER rights that would allow elevation from injected code.
  • Deploy an application firewall or input‑validation layer that detects and blocks suspicious SQL patterns before they reach the database engine; monitor for failed injection attempts to alert on possible exploitation attempts.

Generated by OpenCVE AI on April 30, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19973 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect click-pledge-connect allows Privilege Escalation.This issue affects Click & Pledge Connect: from n/a through <= 25.04010101-WP6.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect click-pledge-connect allows Privilege Escalation.This issue affects Click & Pledge Connect: from n/a through <= 25.04010101-WP6.8.
References

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8.
Title WordPress Click & Pledge Connect plugin <= 25.04010101-WP6.8 - Privilege Escalation via SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.385Z

Reserved: 2025-03-11T08:10:36.161Z

Link: CVE-2025-28983

cve-icon Vulnrichment

Updated: 2025-07-07T14:04:52.580Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:27.437

Modified: 2026-04-28T19:30:12.057

Link: CVE-2025-28983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')