Three popular WordPress plugins, with tens of thousands of active installations, at once turned out to have critical SQL injection vulnerabilities. In addition, PoC exploits for these bugs are now publicly available.
The vulnerabilities were discovered by Tenable, who notified WordPress developers about them back in mid-December 2022, providing them with proof-of-concept exploits. Currently, plugin authors have already released patches to solve problems, so the researchers have revealed the technical details of the bugs found.
Let me remind you that we also wrote that GoTrim Malware Hacks WordPress Sites, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.
Information security specialists also informed that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.
The first plugin vulnerable to SQL injection is Paid Memberships Pro, a membership and subscription management plugin used by over 100,000 sites.
The vulnerability is being tracked as CVE-2023-23488 (CVSS score 9.8, i.e. critical) and affects all plugin versions older than 2.9.8. The issue has been fixed with the release of version 2.9.8.
The second vulnerable plugin is Easy Digital Downloads, an e-commerce and digital file selling plugin with over 50,000 active installations.
The vulnerability is being tracked as CVE-2023-23489 (also 9.8 on the CVSS scale) and affects all versions of the plugin older than 220.127.116.11 released before January 5, 2023.
Tenable also discovered a CVE-2023-23490 issue in the Survey Marker plugin used by 3,000 survey sites. The vulnerability received a CVSS score of 8.8, as an attacker must be authenticated (at least as a subscriber) in order to exploit the bug. Unfortunately, this condition can be easily met, since many sites allow visitors to register as members.
The vulnerability in the plugin was fixed with the release of version 3.1.2 at the end of December 2022.