Description
The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-08-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing extraction of sensitive database information by contributors
Action: Patch
AI Analysis

Impact

The iATS Online Forms plugin for WordPress contains a time‑based SQL injection in the order parameter. The flaw exists in every version up to and including 1.2. Because the plugin fails to escape or properly prepare the parameter, an authenticated user with Contributor or higher permissions can append arbitrary SQL statements to an existing query. This enables the attacker to read confidential data from the database, such as user credentials, order details, or other stored information. The weakness corresponds to CWE‑89 injection.

Affected Systems

WordPress sites that rely on the iatspaymentsdev iATS Online Forms plugin with any version 1.2 or earlier. No other versions or products are affected according to the CNA information.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate with at least Contributor privileges, then send a crafted request containing a malicious order parameter. Once satisfied, the attacker can retrieve arbitrary data from the database. No remote code execution or privilege escalation beyond what the authenticated role permits is possible with this flaw.

Generated by OpenCVE AI on April 20, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch for the iATS Online Forms plugin to address the unsanitized order parameter usage.
  • If an upgrade is not immediately possible, limit or remove Contributor permissions from users who do not require them, ensuring that only trusted administrators have access to the affected feature.
  • Implement database monitoring or a WAF rule that blocks unexpected SELECT, UNION, or other SQL patterns injected via the order parameter to detect and prevent ongoing abuse.

Generated by OpenCVE AI on April 20, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26178 The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 01 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Iatspaymentsdev
Iatspaymentsdev iats Online Forms
Wordpress
Wordpress wordpress
Vendors & Products Iatspaymentsdev
Iatspaymentsdev iats Online Forms
Wordpress
Wordpress wordpress

Fri, 29 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title iATS Online Forms <= 1.2 - Authenticated (Contributor+) SQL Injection via order Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Iatspaymentsdev Iats Online Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:57.051Z

Reserved: 2025-08-25T13:47:28.404Z

Link: CVE-2025-9441

cve-icon Vulnrichment

Updated: 2025-08-29T11:58:13.857Z

cve-icon NVD

Status : Deferred

Published: 2025-08-29T05:15:32.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses