CVE-2023-23488
CVE-2023-23488
In short
A WordPress plugin has a critical flaw that lets anyone inject harmful SQL commands through a web request, potentially exposing or stealing sensitive database information without needing to log in.
Technical detail
Unauthenticated SQL injection vulnerability in the Paid Memberships Pro plugin REST endpoint (/pmpro/v1/order) via the 'code' parameter allows remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or exfiltration of sensitive information including membership and payment data.
Summary generated and translated by AI from the official description.
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Paid Memberships Pro WordPress Pluginpublic PoCs found — 4
githubgithub.com/cybfar/CVE-2023-23488-pmpro-2.8★ 1githubgithub.com/long-rookie/CVE-2023-23488-PoC★ 0cve_referencepacketstormsecurity.com/files/171661/WordPress-Paid-Memberships-Pro-2.9.8-SQL-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51235unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →