PoC exploits for critical vulnerabilities in WordPress plugins

There are three popular WordPress plugins that have tens or thousands of installed users and they’re vulnerable to critical SQL injection vulnerabilities. Proof-of-concept exploits are now available.

SQL injection allows for attackers to enter data via URLs or form fields that alter legitimate database queries. This can be used to modify or return other data, or to modify an existing database.

An attacker can modify, delete, insert malicious scripts or gain complete access to websites if the code of the website is vulnerable to SQL injection.

Released Proof of Concept

Tenable security researcher Joshua Martinelle discovered the three vulnerabilities in these plugins and reported them to WordPress responsibly on December 19, 2022. He also included proofs of concepts (PoCs)

Security updates were released by the authors to fix the problems in the next days or weeks. Users who are using the most recent version of plugins will not be vulnerable.

Yesterday’s disclosures included technical information about the vulnerabilities and proof-of-concept exploits with the SLEEP function. This demonstrated how these flaws operate.

‘ was the first plugin to become vulnerable to SQL injection. This is a tool that manages subscriptions and memberships on over 100,000 sites.

“The plugin doesn’t escape the code parameter of the /pmpro/v1/order route REST route prior to using it in SQL statements, leading to unauthenticated SQL injection vulnerability,” .

CVE-2022-33488 is the flaw, which has a CVSSv3 severity score of 9.8 (critical). It affects plugins older than 2.9.8. Paid Memberships Pro corrected the flaw on December 27, 2022 with version 2.9.8.

The second WordPress addon that is vulnerable to SQL injection, . This is an ecommerce solution that allows you to sell digital files. It has over 50,000 installations.

“The plugin does not escape the ‘s’ parameter in the ‘edd_download_search’ action before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability,” explains Tenable.

“The vulnerable part of the code corresponds to the ‘edd_ajax_download_search()’ function of the ‘./includes/ajax-functions.php’ file.”

CVE-2022-33489 is the vulnerability being tracked. It has been assigned a CVSSv3 severity score of 9.8, which categorizes it as critical. This flaw affects all versions lower than 3.1.0.4. It was released January 5, 2023.

Tenable finally discovered CVE-202-23490, an ‘high-severity SQL injection flaw’ in’. This WordPress plugin is used by over 3,000 websites to conduct market research and surveys.

According to CVSS v3, the flaw was rated 8.8 because an attacker must be authenticated as at most a subscriber in order to exploit it.

This is a common requirement, since many sites allow users to sign up to become members.

Survey Marker responded quickly to Tenable’s SQL Injection Discovery. They released a fix update with version 3.1.2 on December 21st, 2022.

Tenable didn’t share the potential impact of any of these plugins if they were exploited as attacks.

It is highly recommended that sites with these plugins update to the most recent version, since the bugs have been categorized as “critical”.