CVE-2023-0631
Published: 20 March 2023
Summary
CVE-2023-0631 is a high-severity SQL Injection (CWE-89) vulnerability in Strangerstudios Paid Memberships Pro. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-0631 is an SQL injection issue tracked as CWE-89 in the Paid Memberships Pro WordPress plugin prior to version 2.9.12. The root cause is insufficient protection that allows shortcodes to concatenate user-controlled attributes directly into SQL queries.
Authenticated subscribers can exploit the flaw over the network with low complexity and no user interaction required, enabling them to read, modify, or delete arbitrary database contents and achieve complete compromise of confidentiality, integrity, and availability.
References published by WPScan describe the affected shortcode paths and indicate that the issue is resolved by upgrading to version 2.9.12 or later.
EPSS for the CVE rose from lower values to a peak of 0.8013 on 2026-02-03 before receding to the current score of 0.5968, indicating post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12665
Vulnerability details
The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.