CVE-2024-1287 — Exposure of Sensitive Information Through Data Queries in Paid Memberships PRO

CWE-202 — Exposure of Sensitive Information Through Data Queries CWE-89 — SQL Injection CWE-1287 — Improper Validation of Specified Type of Input14 documents8 sources

Severity

6.5MEDIUMNVD

CISA9.3

EPSS

0.7%

top 28.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Strangerstudios Paid Memberships PRO

Timeline

PublishedJul 30

Latest updateDec 16

Description

The pmpro-member-directory WordPress plugin before 1.2.6 does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDstrangerstudios/paid_memberships_pro< 1.2.6

🔴Vulnerability Details

GHSA

Mattermost Improper Validation of Specified Type of Input vulnerability↗2024-12-16

▶

GHSA

Moodle has arbitrary file read risk through pdfTeX↗2024-11-07

▶

CVEList

Paid Memberships Pro - Member Directory Add On < 1.2.6 - Contributor+ Sensitive Information Disclosure via SQLi↗2024-07-30

▶

GHSA

GHSA-vcwx-63wp-cqr7: The pmpro-member-directory WordPress plugin before 1↗2024-07-30

▶

📋Vendor Advisories

Red Hat

python: Improper validation of IPv6 and IPvFuture addresses↗2024-11-12

▶

Cisco

Cisco Adaptive Security Appliance and Firepower Threat Defense Software Dynamic Access Policies Denial of Service Vulnerability↗2024-10-23

▶

Cisco

Cisco Adaptive Security Appliance and Firepower Threat Defense Software TLS Denial of Service Vulnerability↗2024-10-23

▶

Juniper

CVE-2024-47504: An Improper Validation of Specified Type of Input vulnerability in the packet forwarding engine (pfe) Juniper Networks Junos OS on SRX5000 Series allo↗2024-10-11

▶

CISA

ServiceNow Improper Input Validation Vulnerability↗2024-07-29

▶