CVE-2021-24728

Опубликовано: 13 сент. 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.

Ссылки

https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions
Third Party Advisory
https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38
Exploit
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions
Third Party Advisory
https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38
Exploit
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cozmoslabs:membership_\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*

Версия до 2.4.2 (исключая)

EPSS

Процентиль: 81%

0.01593

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-wq6m-fwgx-fx9f