Blind SQL Injection Vulnerability in Membership Simplified Plugin by WordPress
CVE-2017-1002010

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Membership Simplified
Vendor: CVE Published:; 14 September 2017

Summary

The Membership Simplified plugin for WordPress, specifically version 1.58, contains a significant security flaw that allows for blind SQL injection. This vulnerability arises in the updateDB.php file, specifically in the delete_media function, where user input via the recordId parameter is not adequately sanitized. This oversight can enable attackers to manipulate database queries, potentially leading to unauthorized access and the exposure of sensitive user data.

Affected Version(s)

Membership Simplified < 1.58

References

http://www.vapidlabs.com/advisory.php?v=188

x_refsource_MISC

http://membership.officeautopilot.com/get-it-now/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Sep 14, 2017