Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-23488 — SQL Injection in Paid Memberships PRO

CWE-89 — SQL Injection6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
84.2%
top 0.69%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Strangerstudios Paid Memberships PRO
Timeline
PublishedJan 20
Latest updateApr 3

Description

The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-pppw-hpjp-v2p9: The Paid Memberships Pro WordPress Plugin, version < 2↗2023-01-20
â–¶
CVEList
CVE-2023-23488: The Paid Memberships Pro WordPress Plugin, version < 2↗2023-01-20
â–¶
VulnCheck
strangerstudios paid_memberships_pro Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2023
â–¶

💥Exploits & PoCs

2
Exploit-DB
Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection↗2023-04-03
â–¶
Nuclei
WordPress Paid Memberships Pro <2.9.8 - Blind SQL Injection
â–¶
CVE-2023-23488 — SQL Injection in Paid Memberships PRO | cvebase