CVE-2025-22652: 
WordPress vulnerability analysis and mitigation

The Payment Forms for Paystack WordPress plugin contains an SQL Injection vulnerability (CVE-2025-22652) affecting versions up to and including 4.0.1. The vulnerability was discovered by Webula and publicly disclosed on February 3, 2025. This security issue affects the plugin's handling of user-supplied parameters, where insufficient escaping and preparation of SQL queries could lead to potential database manipulation (Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.6 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The issue stems from insufficient escaping on user-supplied parameters and lack of proper preparation of existing SQL queries, allowing authenticated administrators to append additional SQL queries to extract sensitive information from the database (WPScan).

The vulnerability allows authenticated attackers with administrator-level access to potentially extract sensitive information from the database by manipulating SQL queries. This could lead to unauthorized access to data stored in the WordPress database (WPScan).

Users are advised to update to version 4.0.2 or later of the Payment Forms for Paystack plugin, which contains a fix for this vulnerability. The issue has been assigned a low patch priority, but updating is recommended to ensure system security (Patchstack).