CVE-2025-28983: 
WordPress vulnerability analysis and mitigation

A critical SQL Injection vulnerability (CVE-2025-28983) was discovered in the WordPress Click & Pledge Connect plugin. The vulnerability affects versions from 25.04010101 through WP6.8. The issue was discovered by security researcher Martino Spagnuolo and was publicly disclosed on July 1, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability, identified as CWE-89. It received a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows privilege escalation, potentially enabling malicious actors to escalate their low-privileged account to higher privileges. If successfully exploited, attackers could potentially gain full control of the affected website (Patchstack).

Users are advised to update to version 25.07000000-WP6.8.1 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).