[Nulled] » Information security » Popular WordPress plugins are vulnerable to serious or critical SQL injection vulnerabilities for which PoC exploits have been released. 
January 23 2023

Popular WordPress plugins are vulnerable to serious or critical SQL

Popular WordPress plugins are vulnerable to serious or critical SQL injection vulnerabilities for which PoC exploits have been released. 

The errors were discovered by Tenable's recercher Joshua Martinell, who reported them to WordPress on December 19, 2022, along with PoC.

Plugin developers have released updates to solve the problems in the following days, so all the problems in the latest versions have been fixed.

Yesterday, the researcher revealed the technical details and presented a PoC for each vulnerability.

The first plug-in is Paid Memberships Pro, a membership and subscription management tool used on more than 100,000 websites.

According to Tenable, the problem is related to the "code" parameter in the REST route /pmpro/v1/order before using it in the SQL statement.

Vulnerability with CVSSv3 9.8 is tracked as CVE-2023-23488 and affects all plugin versions older than 2.9.8, fixed on December 27, 2022.

The second WordPress add-on vulnerable to SQL injection is Easy Digital Downloads, an e-commerce solution with more than 50,000 active installations.

The problem is related to the "s" parameter in "edd_download_search" before using it in the SQL statement.

The vulnerability is tracked as CVE-2023-23489 and has received a CVSSv3 severity rating of 9.8. It affects all versions below 3.1.0.4, released on January 5, 2023.

Finally, Tenable discovered a serious CVE-2023-23490 in Survey Marker, a WordPress plugin used on 3,000 websites for surveys and market research.

The vulnerability received a CVSS rating of 8.8, since it requires authentication of the attacker at least as a subscriber. The fix is available from December 21, 2022 with version 3.1.2.

Tenable does not report what impact vulnerabilities can have if they are exploited in real attacks.

However, given the criticality of errors, plugin users are advised to upgrade to the latest version.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: AdequateSchizo
  • Date of publication: 23 January 2023 12:06
  • Publication category(s): Information security
  • Number of views of the publication: 175
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Experts warn of a

Experts warn of a critical vulnerability of the Linux kernel of 10 points on the CVSS scale, which affects SMB

Read more
16 January 2023
Information security
Thousands of Citrix ADC

Thousands of Citrix ADC and Gateway servers remain vulnerable to two major vulnerabilities fixed recently.

Read more
16 January 2023
Information security
Critical CVE-2022-44877

Critical CVE-2022-44877 with a severity rating of 9.8 out of 10, recently fixed in the Control Web Panel (formerly

Read more
16 January 2023
Information security
Most Cacti installations

Most Cacti installations on the Internet are not fixed and are vulnerable to a critical RCE error, which is

Read more
16 January 2023
Information security
The first January ICS

The first January ICS fixes came up with a dozen security recommendations from Siemens and Schneider Electric,

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +9 Total articles 6751
  • +17 Comments 4235
  • +22 Users : 6069