CVE-2023-23488

Name of the Vulnerable Software and Affected Versions Paid Memberships Pro WordPress Plugin versions prior to 2.9.8

Description The issue is related to an unauthenticated SQL injection vulnerability. This vulnerability is located in the code parameter of the "/pmpro/v1/order" REST route. It may allow a remote attacker to execute arbitrary SQL queries due to a lack of protection measures for the SQL query structure.

Recommendations For versions prior to 2.9.8, update to version 2.9.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/pmpro/v1/order" REST route or avoiding the use of the code parameter in this endpoint until a patch is applied.