CVE-2023-23488 - Unauthenticated SQL Injection Vulnerability in Paid Memberships Pro WordPress Plugin

The Paid Memberships Pro (PMPro) WordPress Plugin, a popular solution for managing user memberships, subscriptions, and restricted content access on WordPress websites, has been found to contain an unauthenticated SQL injection vulnerability in versions earlier than 2.9.8. This vulnerability, identified as CVE-2023-23488, affects the 'code' parameter of the '/pmpro/v1/order' REST route, and could lead to unauthorized disclosure of sensitive membership and order data, potentially exposing end-users to privacy breaches or identity theft. In this blog post, we will discuss the technical details of the vulnerability, as well as the potential impact and mitigation steps for affected users.

Exploit Details

This SQL injection vulnerability exists in the 'code' parameter of the '/pmpro/v1/order' REST route, which allows unauthenticated users to manipulate and execute arbitrary SQL queries on the affected website's database. A successful exploit could lead to unauthorized access to sensitive user data such as member emails, passwords, and other personally identifiable information, as well as modification or manipulation of existing membership and order records.

Code Snippet

The following code snippet demonstrates the vulnerable 'code' parameter within the Paid Memberships Pro WordPress plugin endpoint:

// Paid_Memberships_Pro/includes/rest-api/v1/class-pmpro-rest-api-v1.php

function webhook_order( WP_REST_Request $request ) {
    // ... other code ...

    // Vulnerable code parameter.
    $code = $request->get_param( 'code' );

    // ... other code ...

    // SQL query.
    $order = new MemberOrder();
    $order->getLastMemberOrder( $user_id, null, null, null, $code );

    // ... other code ...
}

To exploit this vulnerability, an attacker could construct a malicious request using a specially crafted 'code' parameter to inject SQL code, like the following example:

https://example.com/wp-json/pmpro/v1/order?code=1%27+OR+1%3D1

The above request would inject the SQL code "1' OR 1=1", which would cause the affected plugin to return all membership orders, as the injected condition is always true.

Original References

The vulnerability was initially reported by security researchers from [SecurityCompany], who published a detailed write-up on the issue on their official blog:

- SecurityCompany's Blog Post about CVE-2023-23488

Subsequently, the developers of the Paid Memberships Pro plugin have released a security update addressing the vulnerability:

- PMPro Changelog and Version 2.9.8 Release Notes

Mitigation & Recommendations

If you are using the Paid Memberships Pro WordPress plugin on your website, it is highly recommended that you update the plugin to version 2.9.8 or later as soon as possible, in order to protect your users and your website from potential exploits related to this vulnerability. Updating the plugin can be done through the WordPress administrative panel, or by downloading the latest version directly from the plugin's website:

- Update Paid Memberships Pro Plugin on WordPress.org

It is also important to regularly monitor and keep all your WordPress plugins up to date to minimize the risk of security issues. Additionally, you may consider implementing security best practices such as strong and unique passwords for user accounts, limiting the exposure of sensitive data, and using security plugins to enhance the overall security of your WordPress website.

Timeline

Published on: 01/20/2023 18:15:00 UTC
Last modified on: 04/03/2023 20:15:00 UTC