CVE-2025-52773 CRITICAL

CVE-2025-52773: WordPress HieCOR Payment Gateway plugin plugin <= 1.5.11 - SQL Injection vulnerability

Vendor Hiecor
Product HieCOR Payment Gateway Plugin
Weakness CWE-89 · SQLi
Published November 6, 2025
Last update April 28, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiecor HieCOR Payment Gateway Plugin hcv4-payment-gateway allows SQL Injection.This issue affects HieCOR Payment Gateway Plugin: from n/a through <= 1.5.11.

Explanation of Vulnerability in Simple Terms

02Summary

The HieCOR Payment Gateway Plugin versions 1.5.11 and earlier contain a SQL injection vulnerability in an unauthenticated endpoint. An attacker can query or modify the site's database without logging in, potentially exposing payment data, customer information, and other sensitive records. The vulnerability affects the plugin's core database interaction layer and requires no user interaction to exploit.

What an attacker can do

03Attacker Capabilities

Query or modify the site's database to steal payment data, customer records, and other sensitive information.

Potential impact on your site

04Site Impact

Customer payment data, personal information, and site data can be stolen or altered by remote attackers.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 6, 2025 CVE published
April 28, 2026 Record updated