3 matches found
WordPress WPCOM Member <= 1.7.6 - SQL Injection
WPCOM Member plugin for WordPress up to 1.7.6 contains a time-based SQL Injection caused by insufficient escaping and lack of preparation on the 'userphone' parameter, letting unauthenticated attackers extract sensitive information, exploit requires sending crafted 'userphone' parameter. id:...
CVE-2025-2221
creationtimestamp| type| source ---|---|--- 2025-03-14 09:00:27+00:00| seen| Telegram/MoLM8hQiaQO2UtPbaOFwMBQpRxYe0wTCLGhlDqNNXet-jys 2025-03-14 10:40:49+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lkdgd6txb426 2025-03-14 10:51:27+00:00| seen| https://t.me/cvedetector/20281...
CVE-2025-2221 WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection
The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘userphone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...