{"containers": {"cna": {"affected": [{"product": "Membership & Content Restriction \u2013 Paid Member Subscriptions", "vendor": "Unknown", "versions": [{"lessThan": "2.4.2", "status": "affected", "version": "2.4.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Martin Vierula of Trustwave"}], "descriptions": [{"lang": "en", "value": "The Membership & Content Restriction \u2013 Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-13T17:56:44.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"}, {"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions"}], "source": {"discovery": "UNKNOWN"}, "title": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24728", "STATE": "PUBLIC", "TITLE": "Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Membership & Content Restriction \u2013 Paid Member Subscriptions", "version": {"version_data": [{"version_affected": "<", "version_name": "2.4.2", "version_value": "2.4.2"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Martin Vierula of Trustwave"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Membership & Content Restriction \u2013 Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172", "refsource": "MISC", "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"}, {"name": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"}, {"name": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions", "refsource": "CONFIRM", "url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:42:16.634Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24728", "datePublished": "2021-09-13T17:56:44.000Z", "dateReserved": "2021-01-14T00:00:00.000Z", "dateUpdated": "2024-08-03T19:42:16.634Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "FA90947C-3108-499F-A4B1-31A70A92B2FB", "versionEndExcluding": "2.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Membership & Content Restriction \u2013 Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages."}, {"lang": "es", "value": "El plugin Membership &amp; Content Restriction - Paid Member Subscriptions de WordPress versiones anteriores a 2.4.2, no saneaba, comprobaba o escapaba de sus par\u00e1metros order y orderby antes de usarlos en una sentencia SQL, conllevando a inyecciones SQL autenticadas en las p\u00e1ginas Members y Payments"}], "id": "CVE-2021-24728", "lastModified": "2024-11-21T05:53:38.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-13T18:15:19.283", "references": [{"source": "contact@wpscan.com", "tags": ["Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2566399/paid-member-subscriptions"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/2277d335-1c90-4fa8-b0bf-25873c039c38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29172"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{}