CVE-2025-59008: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-59008) was discovered in PressTigers ZIP Code Based Content Protection WordPress plugin affecting versions through 1.0.0. The vulnerability was reported by researcher RoyTdd on April 24, 2025, and was publicly disclosed on September 8, 2025 (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received a CVSS v3.1 score of 7.6 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and has a changed scope (S:C) with high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (NVD, Patchstack).

The vulnerability could allow a malicious actor with administrator privileges to directly interact with the database, potentially leading to unauthorized access to sensitive information stored in the WordPress database (Patchstack).

The vulnerability has been fixed in version 1.0.1 of the ZIP Code Based Content Protection plugin. Users are advised to update to version 1.0.1 or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).