CVE-2025-28983 CRITICAL

CVE-2025-28983: WordPress Click & Pledge Connect plugin <= 25.04010101-WP6.8 - Privilege Escalation via SQL Injection vulnerability

Vendor Clickandpledge
Product Click & Pledge Connect
Weakness CWE-89 · SQLi
Published July 4, 2025
Last update April 28, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8.

Explanation of Vulnerability in Simple Terms

02Summary

Click & Pledge Connect contains a SQL injection vulnerability in versions 25.04010101 through WP6.8. An attacker can inject malicious SQL commands through unvalidated input, potentially reading, modifying, or deleting database records. No authentication or user interaction is required to exploit this flaw. Organizations using affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete database records; extract sensitive donor and transaction data.

Potential impact on your site

04Site Impact

Donor records, payment data, and site configuration could be compromised or destroyed without warning.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 4, 2025 CVE published
April 28, 2026 Record updated