A high-severity vulnerability has been identified in the "Stripe Payment Forms by WP Full Pay" WordPress plugin. This flaw allows unauthenticated attackers to manipulate the website's database through a technique known as SQL Injection, potentially leading to the theft of sensitive data, website defacement, or a full system compromise. Organizations using this plugin are at significant risk of data breaches and should take immediate action to update the software.

The vulnerability is a SQL Injection flaw that exists due to insufficient input sanitization on the wpfs-form-name parameter. An unauthenticated attacker can send a specially crafted HTTP request containing malicious SQL queries within this parameter. The application improperly incorporates this user-supplied data into a database query, allowing the attacker's code to be executed by the database server, granting them the ability to read, modify, or delete sensitive information from the database.

This is a high-severity vulnerability with a CVSS score of 7.5. Successful exploitation could have severe consequences for the business, including the exfiltration of sensitive customer data, transaction records, and user credentials from the website's database. This could lead to significant financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection standards like GDPR or PCI-DSS. A complete database compromise could also result in extended website downtime and costly recovery efforts.

Immediate Action: Immediately update the "Stripe Payment Forms by WP Full Pay" plugin to the latest version available (greater than version 8.0) which contains a patch for this vulnerability. If the plugin is not essential for business operations, consider deactivating and uninstalling it to completely remove the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for any requests containing suspicious SQL syntax in the wpfs-form-name parameter. Look for common SQL injection payloads such as UNION SELECT, ' OR '1'='1, and time-based blind injection attempts (e.g., SLEEP()). Monitor database logs for unusual queries or errors originating from the web application.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust SQL injection rule set to detect and block malicious requests targeting this parameter. Ensure the database user account for the WordPress application operates with the principle of least privilege, restricting its ability to access or modify non-essential tables or execute system-level commands.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its presence in a payment processing plugin, we strongly recommend that organizations treat this as a critical priority. The risk of sensitive data exposure is significant. All instances of the affected plugin must be updated immediately. Although this CVE is not currently listed on the CISA KEV catalog, its potential impact makes it a prime candidate for future inclusion, and organizations should act proactively to mitigate the risk before it is actively exploited in the wild.