cbcvebase.
CVE-2020-14092
published 2020-07-02

CVE-2020-14092: The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.53%
99.8th percentile
The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
ithemespaypal_pro< 1.1.651.1.65

Detection & IOCsextracted from sources · hover to see the quote

url/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users
path/?cffaction=get_data_from_database
othercffaction=get_data_from_database
snort
ET EXPLOIT Paypal Pro [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)
  • Exploit requests use HTTP GET to the path `/?cffaction=get_data_from_database` with a `query=` parameter containing raw SQL. Match both URI components together to reduce false positives.
  • A successful exploitation response (HTTP 200, Content-Type: text/html) will contain the strings `user_login`, `user_email`, `user_pass`, and `user_activation_key` in the body — indicating wp_users table data was dumped in JSON format.
  • The Emerging Threats Snort rule (sid:2033642) uses a PCRE to detect common SQL keywords (SELECT, UNION, UPDATE, DELETE, INSERT, SHOW, EXEC, comments) in the `query=` parameter of the exploit URI, covering a broad range of SQLi payloads beyond the PoC.
  • The vulnerability is unauthenticated — no session cookie or authentication header is required. Any request to the exploit path from an unauthenticated source should be treated as high-confidence malicious activity.
  • ·The Snort rule requires SSL/TLS decryption to be effective against HTTPS traffic, as indicated by the `deployment SSLDecrypt` metadata tag.
  • ·The Nuclei template matcher requires ALL four body strings (`user_login`, `user_email`, `user_pass`, `user_activation_key`) to be present simultaneously (condition: and), meaning partial SQL dumps or error responses will not trigger the match.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.