CVE-2025-8877
📋 TL;DR
This SQL injection vulnerability in the AffiliateWP WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries through the ajax_get_affiliate_id_from_login function. Attackers can extract sensitive database information including user credentials, payment details, and other confidential data. All WordPress sites using AffiliateWP versions up to 2.28.2 are affected.
💻 Affected Systems
- AffiliateWP WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, financial data exposure, privilege escalation, and potential site takeover.
Likely Case
Extraction of sensitive affiliate and user data including email addresses, payment information, and potentially hashed passwords.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to vulnerable endpoint. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.28.3 or later
Vendor Advisory: https://affiliatewp.com
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AffiliateWP and click 'Update Now'. 4. Verify version is 2.28.3 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable AffiliateWP plugin until patched to prevent exploitation
wp plugin deactivate affiliate-wp
WAF Rule Implementation
allBlock SQL injection patterns targeting the vulnerable AJAX endpoint
🧯 If You Can't Patch
- Implement strict web application firewall rules to block SQL injection patterns
- Restrict access to /wp-admin/admin-ajax.php endpoint to authenticated users only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → AffiliateWP version. If version is 2.28.2 or lower, system is vulnerable.Check Version:
wp plugin get affiliate-wp --field=versionVerify Fix Applied:
Verify AffiliateWP plugin version is 2.28.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
- Multiple failed SQL query attempts from single IP
Network Indicators:
- HTTP POST requests to admin-ajax.php with SQL injection payloads in 'login' parameter
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (method="POST") AND (param="login" CONTAINS "UNION" OR param="login" CONTAINS "SELECT" OR param="login" CONTAINS "OR")