Authenticated SQL Injection in Membership & Content Restriction Plugin

Authenticated SQL Injection in Membership & Content Restriction Plugin

CVE-2021-24728 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.

Learn more about our Wordpress Pen Testing.