CVE-2025-28942 CRITICAL

CVE-2025-28942: WordPress Trust Payments Gateway for WooCommerce plugin <= 1.1.4 - SQL Injection vulnerability

Vendor Trust Payments
Product Trust Payments Gateway for WooCommerce
Weakness CWE-89 · SQLi
Published March 26, 2025
Last update April 28, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Trust Payments Trust Payments Gateway for WooCommerce trust-payments-hosted-payment-pages-integration allows SQL Injection.This issue affects Trust Payments Gateway for WooCommerce: from n/a through <= 1.1.4.

Explanation of Vulnerability in Simple Terms

02Summary

The Trust Payments Gateway for WooCommerce contains a SQL injection vulnerability in versions up to 1.1.4. An unauthenticated attacker can craft malicious input to execute arbitrary SQL queries against the site's database. This can lead to unauthorized data access and potential service disruption. Update to a version newer than 1.1.4 immediately.

What an attacker can do

03Attacker Capabilities

Execute SQL queries to read or modify database contents without authentication.

Potential impact on your site

04Site Impact

Customer data, payment records, and site configuration may be exposed or altered; site availability may be affected.

Conditions required to exploit

05Prerequisites

Network access to the WooCommerce site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 26, 2025 CVE published
April 28, 2026 Record updated