WordPress Plugin Vulnerabilities

Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection

Description

The 'query' parameter allowed for any unauthenticated user to perform SQL queries with result output to a web page in JSON format.

Proof of Concept

Affects Plugins

Plugin icon
payment-form-for-paypal-pro
Fixed in 1.1.65

References

CVE
CVE-2020-14092
URL
https://plugins.trac.wordpress.org/changeset/2323857/payment-form-for-paypal-pro

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Rishi
Submitter
Rishi
Verified
Yes
WPVDB ID
33414d86-2bad-4b8e-9bc5-9a92811abf9b

Timeline

Publicly Published
2020-07-02 (about 5 years ago)
Added
2020-07-02 (about 5 years ago)
Last Updated
2020-07-03 (about 5 years ago)

Other

Published
Title
Published
2025-04-22
Title
Frontend Dashboard < 2.2.6 - Unauthenticated SQL Injection
Published
2025-05-07
Title
Dynamic Pricing With Discount Rules for WooCommerce < 4.5.9 - Authenticated (Shop manager+) SQL Injection
Published
2025-04-04
Title
Video & Photo Gallery for Ultimate Member <= 1.1.3 - Authenticated (Administrator+) SQL Injection
Published
2014-08-01
Title
WPtouch 1.9.8 - include/submit.php Multiple Parameter SQL Injection
Published
2023-12-04
Title
Couponis Demo < 2.2 - Unauthenticated SQL Injection