WordPress Plugin Vulnerabilities

Paid Membership Pro < 2.5.6 - Authenticated SQL Injection

Description

The plugin was affected by an authenticated SQL Injection when filtering users in the dashboard, as the order parameter was not properly validated/sanitised before being added to a SQL statement.

Affects Plugins

Plugin icon
paid-memberships-pro
Fixed in 2.5.6

References

CVE
CVE-2021-20678
URL
https://www.paidmembershipspro.com/pmpro-update-2-5-6/
URL
https://jvn.jp/en/jp/JVN08191557/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Gen Sato of Mitsui Bussan Secure Directions, Inc
Verified
Yes
WPVDB ID
166b2829-047c-439a-b59c-f5ad194cbaae

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-03-19 (about 4 years ago)

Other

Published
Title
Published
2023-01-12
Title
Simple Membership WP < 1.8 - Admin+ SQLi
Published
2026-01-21
Title
Nelio Content < 4.2.1 - Authenticated (Contributor+) SQL Injection
Published
2025-02-18
Title
LTL Freight Quotes – SEFL Edition < 3.2.5 - Unauthenticated SQL Injection
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Admin+ SQL Injection
Published
2018-08-26
Title
Gift Voucher < 4.1.8 - Unauthenticated Blind SQL Injection