module
Wordpress Paid Membership Pro code Unauthenticated SQLi
| Disclosed | Created |
|---|---|
| Jan 12, 2023 | Jan 19, 2023 |
Disclosed
Jan 12, 2023
Created
Jan 19, 2023
Description
Paid Membership Pro, a WordPress plugin,
prior to 2.9.8 is affected by an unauthenticated SQL injection via the
`code` parameter.
Remote attackers can exploit this vulnerability to dump usernames and password hashes
from the `wp_users` table of the affected WordPress installation. These password hashes
can then be cracked offline using tools such as Hashcat to obtain valid login
credentials for the affected WordPress installation.
prior to 2.9.8 is affected by an unauthenticated SQL injection via the
`code` parameter.
Remote attackers can exploit this vulnerability to dump usernames and password hashes
from the `wp_users` table of the affected WordPress installation. These password hashes
can then be cracked offline using tools such as Hashcat to obtain valid login
credentials for the affected WordPress installation.
Authors
h00die
Joshua Martinelle
Joshua Martinelle
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.