Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection.This issue affects Paid Downloads: from n/a through <= 3.15.
Published: 2026-01-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Paid Downloads plugin for WordPress contains an improper neutralization of special elements used in an SQL command, leading to a blind SQL injection vulnerability. Because the plugin does not validate or escape user‑supplied input in its database queries, an attacker can craft requests that result in the execution of arbitrary SQL. This flaw enables the attacker to read sensitive data from the database or modify database contents, potentially leading to a data breach. The severity is reflected by a high CVSS score of 9.3.

Affected Systems

All installations of the Paid Downloads plugin by ichurakov with version 3.15 or earlier. The impact applies to any WordPress site running these unsupported plugin versions.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. While the EPSS score is less than 1%—suggesting a low probability of current exploitation—the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via the web application layer, where an attacker submits a crafted payload through the plugin’s interface. Successful exploitation allows the attacker to extract sensitive data or alter database contents, which could compromise the confidentiality of the site’s data.

Generated by OpenCVE AI on April 29, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Paid Downloads plugin to the latest available version (3.16 or newer).
  • If an immediate update is not possible, configure the WordPress database user with the least privilege needed by the site and prevent direct database access from the web application.
  • Deploy a web application firewall or intrusion detection system that alerts on anomalous SQL query patterns and blocks common injection payloads.

Generated by OpenCVE AI on April 29, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection.This issue affects Paid Downloads: from n/a through <= 3.15.
Title WordPress Paid Downloads plugin <= 3.15 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:04:19.633Z

Reserved: 2025-12-24T14:00:18.228Z

Link: CVE-2025-68857

cve-icon Vulnrichment

Updated: 2026-01-27T21:51:52.980Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:11.650

Modified: 2026-06-17T09:59:43.220

Link: CVE-2025-68857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')