CVE-2026-28115
loopus · WP Attractive Donations System
The WP Attractive Donations System WordPress plugin is vulnerable to Blind SQL Injection, allowing unauthenticated attackers to query database contents.
Executive summary
A critical Blind SQL Injection vulnerability in the loopus WP Attractive Donations System plugin allows unauthenticated remote attackers to compromise database integrity and confidentiality.
Vulnerability
This vulnerability stems from the improper neutralization of special elements used in SQL commands. It allows an unauthenticated attacker to inject malicious SQL queries, enabling unauthorized access to the underlying database.
Business impact
Exploitation of this Blind SQL Injection flaw could result in the total compromise of site data, including donor information and administrative credentials. With a CVSS score of 9.3, the potential for full database exfiltration is significant, posing a severe threat to data privacy and regulatory compliance.
Remediation
Immediate Action: Update the WP Attractive Donations System plugin to the latest available version beyond 1.25 immediately.
Proactive Monitoring: Monitor database query logs for suspicious patterns or syntax errors indicative of SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets to block common SQL injection payloads and malicious request patterns.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
SQL injection remains a primary vector for site takeover; therefore, this update must be treated as urgent. If an immediate patch is not possible, disable the plugin until a secure version can be verified and installed.