CVE-2025-9322: 
WordPress vulnerability analysis and mitigation

CVE-2025-9322 affects the Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress in versions up to and including 8.3.1. The vulnerability was discovered and disclosed on October 24, 2025, with the NVD entry being updated on October 25, 2025 (NVD, Wordfence).

The vulnerability is classified as an SQL Injection vulnerability that exists due to insufficient escaping of the 'wpfs-form-name' parameter and lack of proper SQL query preparation. The CVSS v3.1 base score is 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The weakness is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. The impact primarily affects the confidentiality of the system, with high potential for unauthorized access to sensitive data (Tenable).

Users should immediately update their Stripe Payment Forms plugin to a version newer than 8.3.1 if available. No specific workarounds have been publicly documented for this vulnerability (NVD).