cbcvebase.
CVE-2023-23488
published 2023-01-20

CVE-2023-23488: The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
92.46%
99.8th percentile
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.

Affected

1 ranges
VendorProductVersion rangeFixed in
strangerstudiospaid_memberships_pro< 2.9.82.9.8

Detection & IOCsextracted from sources · hover to see the quote

url/?rest_route=/pmpro/v1/order&code=a
path/pmpro/v1/order
  • Monitor for unauthenticated GET/POST requests to the REST route '/?rest_route=/pmpro/v1/order' (or '/wp-json/pmpro/v1/order') with a 'code' parameter containing SQL injection payloads (e.g., time-based blind SQLi patterns).
  • Exploit tooling uses sqlmap with '--technique=T' (time-based blind) against the 'code' parameter; alert on time-based SQLi signatures targeting this endpoint.
  • Exploitation targets the 'wp_users' table to exfiltrate user_login and user_pass columns; monitor for anomalous database query times or large response payloads from this REST endpoint.
  • Wordfence returns HTTP 403 for exploit attempts; a status code other than 403 on this endpoint may indicate an unprotected vulnerable installation.
  • Fingerprint vulnerable installations by checking for the string 'pmpro_updates' in the response body of the target WordPress site.
  • ·Vulnerability only affects Paid Memberships Pro plugin versions prior to 2.9.8; patched installations (>= 2.9.8) are not affected.
  • ·The exploit is fully unauthenticated — no WordPress credentials or session are required to trigger the SQL injection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.