Vulnerability Description
The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cozmoslabs | Membership \& Content Restriction - Paid Member Subscriptions | < 2.4.2 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptionsThird Party Advisory
- https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38ExploitThird Party Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisoriesExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptionsThird Party Advisory
- https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38ExploitThird Party Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisoriesExploitThird Party Advisory
FAQ
What is CVE-2021-24728?
CVE-2021-24728 is a vulnerability with a CVSS score of 8.8 (HIGH). The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement,...
How severe is CVE-2021-24728?
CVE-2021-24728 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24728?
Check the references section above for vendor advisories and patch information. Affected products include: Cozmoslabs Membership \& Content Restriction - Paid Member Subscriptions.