WordPress Plugin Vulnerabilities

Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection

Description

A high privileged user (administrator) could perform SQL injection attacks when adding new orders in the dashboard.

Affects Plugins

Plugin icon
paid-memberships-pro
Fixed in 2.3.3

References

URL
https://jvn.jp/en/jp/JVN20248858/
URL
https://plugins.trac.wordpress.org/changeset/2304166/paid-memberships-pro

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Kenichi Okuno of Mitsui Bussan Secure Directions, Inc
Verified
No
WPVDB ID
2ea15a69-32e5-45c2-a5dc-37527ac05645

Timeline

Publicly Published
2020-05-19 (about 4 years ago)
Added
2020-05-19 (about 4 years ago)
Last Updated
2020-05-20 (about 4 years ago)

Other

Published
Title
Published
2022-07-23
Title
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
Published
2019-03-15
Title
Better Search 2.2.2 - Unauthenticated SQL Injection
Published
2024-02-22
Title
Admin side data storage for Contact Form 7 <= 1.1.1 - Authenticated (Admin+) SQL Injection
Published
2021-07-30
Title
JiangQie Official Website Mini Program < 1.1.1 - Authenticated SQL Injection
Published
2023-12-27
Title
Fluent Support < 1.7.7 - Authenticated(Administrator+) SQL Injection