CVE-2023-0254

Name of the Vulnerable Software and Affected Versions Simple Membership WP user Import plugin for WordPress versions up to, and including, 1.7

Description The issue allows for SQL Injection via the orderby parameter due to insufficient escaping on the user-supplied parameter. This enables authenticated attackers with administrative privileges to append additional SQL queries into existing queries, potentially extracting sensitive information from the database.

Recommendations For versions up to, and including, 1.7, consider disabling the orderby parameter until a patch is available to prevent SQL Injection attacks. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the orderby parameter in the affected plugin until the issue is resolved.