JVNDB-2020-000033

[Japanese]
JVNDB-2020-000033
WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection
Overview
WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability (CWE-89). Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 4.7 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: Low Availability Impact: Low CVSS V2 Severity: Base Metrics 6.5 (Medium) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: Single Instance Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

Stranger Studios Paid Memberships Pro versions prior to 2.3.3

Impact
An attacker who can access the administrative page of Paid Membership Pro may obtain and/or alter the information stored in the database.
Solution
[Update the plugin] Update the plugin according to the information provided by the developer.
Vendor Information
Stranger Studios Stranger Studios : Paid Memberships Pro Stranger Studios : PMPro Update 2.3.3 - Security Release
CWE (What is CWE?)
SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)
CVE-2020-5579
References
JVN : JVN#20248858 National Vulnerability Database (NVD) : CVE-2020-5579
Revision History
[2020/05/19] Web page was published


Date Public	2020/05/19
Date First Published	2020/05/19
Date Last Updated	2020/05/19

WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection