CVE-2021-25114

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-25114

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25114.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-25114

Published

2022-02-07T16:15:46.240Z

Modified

2026-04-10T04:30:58.383344Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection

References

Affected packages

Git / github.com/strangerstudios/paid-memberships-pro

Affected ranges

Type

GIT

Repo

https://github.com/strangerstudios/paid-memberships-pro

Events

Introduced

abb47327a43d4ae034d1be35f6abc1126478ae76

Fixed

932abfb31ed813804756982dce3ee95640e041af

Introduced

d0b35d76e38ba5c2eac9bdea3100b81ff32ba419

Fixed

30918ac8ccf0ccd42a7ac518c3c606f65d8ee50f

Introduced

043b1adc825ea81f7ad3305025e80fb0856e698a

Fixed

59352fb4405bf7e1af99d6838cc2cfff180be660

Database specific

{
    "versions": [
        {
            "introduced": "2.4"
        },
        {
            "fixed": "2.4.5"
        },
        {
            "introduced": "2.5"
        },
        {
            "fixed": "2.5.11"
        },
        {
            "introduced": "2.6"
        },
        {
            "fixed": "2.6.7"
        }
    ]
}

Affected versions

2.*

2.5.10

2.5.10.1

2.5.10.2

2.6

2.6.1

2.6.1.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

v2.*

v2.4

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.5

v2.5.1

v2.5.2

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25114.json"