Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection



Description
A high privileged user (administrator) could perform SQL injection attacks when adding new orders in the dashboard.

Affects Plugin

fixed in version 2.3.3

References

URL https://jvn.jp/en/jp/JVN20248858/
URL https://plugins.trac.wordpress.org/changeset/2304166/paid-memberships-pro

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Kenichi Okuno of Mitsui Bussan Secure Directions, Inc
Views 689
Verified No
WPVDB ID 10231

Timeline

Publicly Published 2020-05-19 (7 days ago)
Added 2020-05-19 (6 days ago)
Last Updated 2020-05-20 (5 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin