Impact
Unauthenticated SQL Injection exists in the WordPress WP eMember plugin version 10.9.3 and earlier, allowing an attacker to construct and execute arbitrary SQL statements. This flaw is a classic CWE-89 vulnerability that can compromise the confidentiality, integrity, and availability of the WordPress database and any data stored within it, including user credentials, content, and system configuration.
Affected Systems
The vulnerability affects installations of the WP eMember plugin developed by Tips and Tricks HQ, specifically all released versions lower than v10.9.4. Any WordPress site using one of these affected plugin builds is at risk.
Risk and Exploitability
The CVSS score of 9.3 illustrates a critical level of severity, reflecting the exploitation of a web‑based, unauthenticated input processing error that can lead to full database compromise. The EPSS score is not available, but the absence from the CISA KEV catalog does not preclude exploitation. The attack vector is most likely through the publicly accessible plugin endpoints, where malicious payloads can be injected without prior authentication. Given the high impact and typical web exposure, the risk of successful exploitation remains significant.
OpenCVE Enrichment