Description
The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
Affected Software
Related
{"id": "CVE-2021-24728", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24728", "description": "The Membership & Content Restriction \u2013 Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.", "published": "2021-09-13T18:15:00", "modified": "2021-09-23T15:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24728", "reporter": "contact@wpscan.com", "references": ["https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions", "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172", "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"], "cvelist": ["CVE-2021-24728"], "immutableFields": [], "lastseen": "2022-03-23T15:03:02", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}], "rev": 4}, "score": {"value": 2.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}]}, "exploitation": null, "vulnersScore": 2.1}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions", "version": "2.4.2", "operator": "lt", "name": "cozmoslabs membership \\& content restriction - paid member subscriptions"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:2.4.2:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.4.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions", "name": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172", "name": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38", "name": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"wpvulndb": [{"lastseen": "2021-11-26T19:23:29", "description": "The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.\n\n### PoC\n\nhttp://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby;=user_id&order;=asc,(select * from (select(sleep(10)))a)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-06T00:00:00", "type": "wpvulndb", "title": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24728"], "modified": "2021-09-10T16:04:27", "id": "WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38", "href": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-11-26T19:23:29", "description": "The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-06T00:00:00", "type": "wpexploit", "title": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24728"], "modified": "2021-09-10T16:04:27", "id": "WPEX-ID:2277D335-1C90-4FA8-B0BF-25873C039C38", "href": "", "sourceData": "http://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby=user_id&order=asc,(select * from (select(sleep(10)))a)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
CVE-2021-24728
