CVE-2023-3419

Name of the Vulnerable Software and Affected Versions tagDiv Opt-In Builder plugin versions up to, and including, 1.4.4

Description The issue concerns a Blind SQL Injection vulnerability via the couponId parameter of the "recreate stripe subscription" REST API endpoint. This vulnerability is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database.

Recommendations For versions up to, and including, 1.4.4, consider disabling the recreate stripe subscription REST API endpoint or restricting access to the couponId parameter until a patch is available. Additionally, restrict administrator-level privileges to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.