A critical security vulnerability discovered by Patchstack cybersecurity researchers within the widely-used Paid Membership Subscriptions WordPress plugin has recently been patched. This flaw could have allowed cybercriminals to access sensitive website databases without any authentication.
The Paid Membership Subscriptions plugin is a popular tool that helps website owners create membership sites and manage recurring subscriptions, integrating with various payment methods and is designed to simplify the process of monetizing websites through membership models. The plugin, used on over 10,000 websites worldwide, contained a serious SQL injection vulnerability in versions 2.15.1 and earlier.
A SQL injection is a type of cyberattack where malicious actors can insert harmful code into a website’s database queries. In this case, attackers could potentially:
- Access sensitive user information
- Steal membership data and payment details
- Manipulate website content
- Gain unauthorized control over affected websites
The security flaw existed in the plugin’s PayPal payment processing system. When handling payment notifications (webhooks), the plugin failed to properly validate and sanitize user input before sending it to the database. This oversight created an opening that cybercriminals could exploit to inject malicious SQL commands.
Version 2.15.2 was released with comprehensive security measure improvements.
If you’re using the Paid Membership Subscriptions plugin, update to at least version 2.15.2 immediately through your WordPress admin panel. If unsure of your current version, navigate to your WordPress plugins section and verify you’re running at least 2.15.2.
Review your website logs for any suspicious activity that may have occurred before the patch, and consider running a comprehensive security scan of your website to ensure no unauthorized access occurred.
This incident serves as a reminder that website security, including within WordPress where its ecosystem powers over 40% of all websites, is an ongoing responsibility requiring constant vigilance and timely updates.
For more details about this vulnerability and its discovery, read the Patchstack security report here.
Leave a Reply