Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
Published: 2025-04-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Click & Pledge Connect Plugin contains a classic SQL injection flaw caused by improper neutralization of special elements in an SQL command. The vulnerability allows an attacker to inject arbitrary SQL through user input, potentially leading to unauthorized data read, modification, or deletion. The flaw is a direct instance of CWE-89 and could be exploited to compromise the integrity and confidentiality of the site's database.

Affected Systems

Affected installations are those running Click & Pledge Connect Plugin versions 2.24080000 through WP6.6.1. Any WordPress site that has not upgraded past these releases is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 marks this vulnerability as high severity, but the EPSS probability is less than 1%, indicating a low current exploitation likelihood. It is not listed in CISA’s KEV catalog. The likely attack path involves sending crafted HTTP requests to plugin-controlled endpoints, with no special privileges required beyond the ability to access the vulnerable site.

Generated by OpenCVE AI on April 30, 2026 at 23:54 UTC.

Remediation

Vendor Solution

Update the WordPress Click & Pledge Connect Plugin wordpress plugin to the latest available version (at least 2.24120000-WP6.7.1).

OpenCVE Recommended Actions

  • Upgrade the Click & Pledge Connect Plugin to the latest version (at least 2.24120000-WP6.7.1).
  • Conduct a database audit for abnormal query activity or unauthorized table changes that may indicate exploitation.
  • Ensure input handling within the plugin is properly validated and that only trusted administrators can modify or execute plugin-related functions, following best practices for CWE-89 mitigation.

Generated by OpenCVE AI on April 30, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10588 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect click-pledge-connect allows SQL Injection.This issue affects Click & Pledge Connect: from n/a through <= 2.24080000-WP6.6.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect click-pledge-connect allows SQL Injection.This issue affects Click & Pledge Connect: from n/a through <= 2.24080000-WP6.6.1.
References

Wed, 09 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
Title WordPress Click & Pledge Connect Plugin Plugin <= 2.24080000-WP6.6.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.089Z

Reserved: 2025-04-09T11:19:56.432Z

Link: CVE-2025-32550

cve-icon Vulnrichment

Updated: 2025-04-09T17:40:59.263Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:45.120

Modified: 2026-04-28T19:31:42.287

Link: CVE-2025-32550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:00:05Z

Weaknesses