Skip to content

SQL Injection Vulnerability Patched in Paid Membership Subsc... #1369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SQL Injection Vulnerability Patched in Paid Membership Subsc... #1369

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Paid Membership Subscriptions (WordPress) — Unauthenticated SQL Injection via PayPal IPN


At-a-Glance

  • Plugin: Paid Membership Subscriptions (WordPress) — over 10,000 active installs.
  • Affected versions: ≤ 2.15.1
  • Patched version: 2.15.2
  • CVE: CVE-2025-49870
  • Severity: CVSS 7.5 (High)

Impact

Unauthenticated SQL...

🔧 Technical Details

Abusing third‑party webhooks for SQL injection: Identify public payment/IPN webhooks that accept unauthenticated POSTs, then trace how a field (here, custom) becomes a database identifier. If the value is concatenated into SQL (e.g., WHERE id = {$id}) without binding, inject boolean/UNION payloads. Ensure any upstream verifier (e.g., IPN validation or sandbox mode) is satisfied so execution reaches the sink. The generic flow to hunt is: webhook_handler()model_lookup($user_input) → unparameterized SELECT ... WHERE id = {$input}.

🤖 Agent Actions

Completed updates.

What I added

  • SQL Injection main page (src/pentesting-web/sql-injection/README.md)

    • New subsection: “Abusing unauthenticated webhooks/IPN to reach SQL sinks (WordPress PayPal IPN case study)”
    • Covers the generic attack flow for public payment/webhook listeners, the WordPress PayPal IPN case, exploitation notes (boolean/UNION-based), mitigation with $wpdb->prepare()/absint(), and detection/hardening guidance.
    • Updated References with:
      • Patchstack advisory (blog URL provided)
      • WordPress $wpdb->prepare() docs
      • PayPal IPN docs

  • WordPress pentesting page (src/network-services-pentesting/pentesting-web/wordpress.md)

    • New subsection under “Wordpress Plugins Pentest” examples:
      • “Unauthenticated SQL Injection via PayPal IPN (Paid Membership Subscriptions ≤ 2.15.1)”
      • Details endpoint, data flow, vulnerable sink, exploitation notes, patched code, and hardening.
    • Added the Patchstack advisory link to the References list.

Why these locations

  • The technique is a SQLi class that’s triggered via public third‑party webhook/IPN flows, so it fits as a reusable pattern in the SQL Injection page.
  • It’s a WordPress plugin example with concrete code paths, so adding a case study in the WordPress page under plugin pentesting aligns with existing content.

No duplication

  • I verified existing SQLi and WordPress pages; there was no existing coverage of IPN/webhook‑driven SQLi for this plugin pattern, so these are new and relevant additions.

References added

  • SQL Injection via PayPal IPN in Paid Membership Subscriptions (Patchstack)
  • WordPress $wpdb->prepare() documentation
  • PayPal IPN overview

If you want me to also add a short cross-reference from the WordPress page to the SQL Injection page’s new subsection (or vice versa) with an internal {{#ref}} block, I can add that too.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: SQL Injection Vulnerability Patched in Paid Members…
ee29e42 
…hip Subsc...

- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://patchstack.com/articles/sql-injection-vulnerability-patched-in-paid-membership-subscriptions-plugin/

Content Categories: Based on the analysis, this content was categorized under "Web Pentesting / SQL Injection (e.g., a subsection: Abusing unauthenticated webhooks/IPN to reach SQL sinks – WordPress PayPal IPN case study)".

Repository Maintenance:

  • MD Files Formatting: 878 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop