Page 3 of 18 results (0.007 seconds)

CVSS: 9.8EPSS: 40%CPEs: 1EXPL: 3

The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route. The Paid Memberships Pro plugin for WordPress is vulnerable to SQL injection in versions before 2.9.8 via the 'code' parameter in the /pmpro/v1/order REST route. This allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.  WordPress Paid Memberships Pro plugin version 2.9.8 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/51235 https://github.com/r3nt0n/CVE-2023-23488-PoC https://github.com/cybfar/CVE-2023-23488-pmpro-2.8 http://packetstormsecurity.com/files/171661/WordPress-Paid-Memberships-Pro-2.9.8-SQL-Injection.html https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 1

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection El plugin Paid Memberships Pro de WordPress versiones anteriores a 2.6.7, no escapa el discount_code en una de sus rutas REST (disponible para usuarios no autenticados) antes de usarlo en una sentencia SQL, conllevando a una inyección SQL • https://wpscan.com/vulnerability/6c25a5f0-a137-4ea5-9422-8ae393d7b76b https://www.paidmembershipspro.com/pmpro-update-2-6-7-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Paid Memberships Pro de WordPress versiones anteriores a 2.6.6, no escapa del parámetro s antes de devolverlo a un atributo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en las versiones de Paid Memberships Pro anteriores a 2.5.6, permite a atacantes autenticados remotamente ejecutar comandos SQL arbitrarios por medio de vectores no especificados • https://jvn.jp/en/jp/JVN08191557/index.html https://wordpress.org/plugins/paid-memberships-pro https://www.paidmembershipspro.com/pmpro-update-2-5-6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for unauthenticated attackers to save pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Paid Memberships Pro para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en versiones hasta la 2.4.2 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función pmpro_page_save(). • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •