CVE-2025-12752

5.3 MEDIUM

📋 TL;DR

The Subscriptions & Memberships for PayPal WordPress plugin fails to properly verify PayPal IPN requests, allowing unauthenticated attackers to create fake payment records. This affects all WordPress sites using this plugin up to version 1.1.7. Attackers can manipulate payment statuses without actual transactions occurring.

💻 Affected Systems

Products:

• Subscriptions & Memberships for PayPal WordPress plugin

Versions: All versions up to and including 1.1.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with this specific plugin enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create numerous fake premium subscriptions, granting unauthorized access to paid content, manipulating revenue reports, and potentially causing financial discrepancies.

🟠

Likely Case

Attackers create fake payment entries to access premium content without paying, disrupting subscription management and causing minor financial reporting issues.

🟢

If Mitigated

With proper IPN verification and monitoring, impact is limited to attempted attacks that are logged and blocked.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted IPN requests to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.8

Vendor Advisory: https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Subscriptions & Memberships for PayPal'. 4. Click 'Update Now' if available. 5. If not, download version 1.1.8+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

Copy

wp plugin deactivate subscriptions-memberships-for-paypal

Restrict IPN Endpoint Access

linux

Block external access to the IPN endpoint via web server configuration.

Copy

# In Apache .htaccess: RewriteRule ^wp-content/plugins/subscriptions-memberships-for-paypal/includes/public_ipn\.php$ - [F]
# In Nginx: location ~ ^/wp-content/plugins/subscriptions-memberships-for-paypal/includes/public_ipn\.php$ { deny all; }

🧯 If You Can't Patch

• Disable the plugin immediately to prevent exploitation.
• Implement network-level filtering to block suspicious IPN requests to the plugin endpoint.

🔍 How to Verify

Check if Vulnerable:

Copy

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 1.1.7 or lower, you are vulnerable.

Check Version:

Copy

wp plugin get subscriptions-memberships-for-paypal --field=version

Verify Fix Applied:

Copy

After updating, verify plugin version shows 1.1.8 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

• Multiple POST requests to /wp-content/plugins/subscriptions-memberships-for-paypal/includes/public_ipn.php from unusual IPs
• Payment entries created without corresponding PayPal transaction IDs

Network Indicators:

• Unusual traffic to the IPN endpoint from non-PayPal IP addresses
• HTTP POST requests to public_ipn.php with manipulated parameters

SIEM Query:

Copy

source="web_logs" AND uri="/wp-content/plugins/subscriptions-memberships-for-paypal/includes/public_ipn.php" AND method="POST" AND NOT src_ip IN (paypal_ip_range)

📊 Metadata

CVE ID: CVE-2025-12752

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-345

EPSS Score: 0.03% exploit probability (8.5th percentile)

Published: November 22, 2025

Last Updated: November 25, 2025

🔗 References

• https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397608%40subscriptions-memberships-for-paypal&new=3397608%40subscriptions-memberships-for-paypal&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/8f706b78-2d67-442c-b7a0-7d7a0fd24b2d?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12752, you might also want to check these:

CVE-2022-30315 9.8

Honeywell Experion PKS Safety Manager controllers lack cryptographic authentication for control logi...

Same vulnerability type (CWE-345)

CVE-2025-66255 9.8

This vulnerability allows unauthenticated attackers to upload malicious firmware files to Mozart FM ...

Same vulnerability type (CWE-345)

CVE-2022-26871 9.8

CVE-2022-26871 is a critical arbitrary file upload vulnerability in Trend Micro Apex Central that al...

Same vulnerability type (CWE-345)