CVE-2025-8877
AffiliateWP <= 2.28.2 - Unauthenticated SQL InjectionThe AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
We have discovered 5,596 live websites that are affected by CVE-2025-8877.
Affected Software
| Product |  AffiliateWP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 5,596 live websites (77% of AffiliateWP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 165 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Sep 30, 2025
- Updated - Sep 30, 2025
Credits
- LionTree (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-8877 United States | 2,977 websites |
 Germany | 335 websites |
 GB | 252 websites |
 Singapore | 229 websites |
 France | 163 websites |
 Spain | 157 websites |
 Netherlands | 126 websites |
 Canada | 97 websites |
 Cyprus | 86 websites |
 Australia | 84 websites |
Website Distribution by TLD
Number of websites using CVE-2025-8877| .com | 3,651 websites |
| .de | 140 websites |
| .org | 138 websites |
| .net | 120 websites |
| .co.uk | 102 websites |
| .nl | 87 websites |
| .com.br | 74 websites |
| .co | 71 websites |
| .com.au | 67 websites |
| .es | 56 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-8877
Top websites that are affected by CVE-2025-8877. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.******.com | United States | *** | |
| ************.com | United States | *,*** | |
| ***********.com | Singapore | *,*** | |
| **********.com | United States | *,*** | |
| ***************.com | United States | *,*** | |
| *******.org | United States | *,*** | |
| *************.com | United States | *,*** | |
| **********.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| ***************.com | United States | **,*** |
FAQ
CVE-2025-8877 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in AffiliateWP
A total of 5,596 websites have been identified as vulnerable to CVE-2025-8877, based on global website indexing conducted by WebTechSurvey.
The AffiliateWP is affected by the CVE-2025-8877 vulnerability.
AffiliateWP versions up to and including 2.28.2 are vulnerable to CVE-2025-8877.