CVE-2023-3416

Name of the Vulnerable Software and Affected Versions tagDiv Opt-In Builder plugin versions up to, and including, 1.4.4

Description The issue is related to Blind SQL Injection via the subscriptionCouponId parameter through the "create stripe subscription" REST API endpoint. This occurs due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. Authenticated attackers with administrator-level privileges can append additional SQL queries to extract sensitive information from the database.

Recommendations For versions up to, and including, 1.4.4, update to a version that includes a fix for this issue to prevent Blind SQL Injection attacks. As a temporary workaround, consider restricting access to the "create stripe subscription" REST API endpoint and limiting the use of the subscriptionCouponId parameter until a patch is available.