Time-Based SQL Injection in WPCOM Member Plugin for WordPress
CVE-2025-2221
7.5HIGH
What is CVE-2025-2221?
The WPCOM Member plugin for WordPress is susceptible to a time-based SQL Injection exploit via the 'user_phone' parameter in all versions up to and including 1.7.6. This vulnerability arises from inadequate parameter escaping and a lack of robust query preparation within the SQL statement. As a result, unauthenticated attackers may inject malicious SQL code, allowing them to manipulate queries and extract sensitive information from the database, heightening the risk of unauthorized data access.
Affected Version(s)
WPCOM Member * <= 1.7.6