CVE-2021-25114
published 2022-02-07CVE-2021-25114: The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.25%
99.6th percentile
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strangerstudios | paid_memberships_pro | >= 2.4 < 2.4.5 | 2.4.5 |
| strangerstudios | paid_memberships_pro | >= 2.5 < 2.5.11 | 2.5.11 |
| strangerstudios | paid_memberships_pro | >= 2.6 < 2.6.7 | 2.6.7 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-json/pmpro/v1/order?code=
sigma
contains(header_1, 'application/json') AND status_code == 200 AND contains(body_2, 'other_discount_code_')
- →The vulnerable REST route is accessible to unauthenticated users; monitor for SQL injection payloads in the 'discount_code' parameter of the Paid Memberships Pro REST endpoint. ↗
- →Successful exploitation responses will return HTTP 200 with Content-Type application/json and a body containing the string 'other_discount_code_'; use this as a detection fingerprint.
- ·The vulnerability affects Paid Memberships Pro WordPress plugin versions before 2.6.7; ensure patched version is deployed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hx6g-9577-37jq: The Paid Memberships Pro WordPress plugin before 2
ghsa_unreviewed·2022-02-08
CVE-2021-25114 [CRITICAL] CWE-89 GHSA-hx6g-9577-37jq: The Paid Memberships Pro WordPress plugin before 2
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
VulnCheck
strangerstudios paid_memberships_pro Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-25114 [CRITICAL] strangerstudios paid_memberships_pro Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
strangerstudios paid_memberships_pro Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
Affected: strangerstudios paid_memberships_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-11&host_type=src&vulnerability=cve-2021-25114; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-13&host_type=
No detection rules found.
Nuclei
WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
nuclei·CVSS 9.8
CVE-2021-25114 [CRITICAL] WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection
WordPress Paid Memberships Pro =6
- contains(header_1, "application/json")
- status_code == 200
- contains(body_2, 'other_discount_code_')
condition: and
# digest: 4a0a00473045022100807a5d3549df3cb2e0294a4820e5c71c97ae1255f5c29b8937fb14f11108dc3a02207cd2e9f14452b294eb5ff7a37e14c8c5a199c5ecb285a38aad11310fff8b351e:922c64590222798bb761d5b6d8e72950
2022-02-07
Published
Exploited in the wild