Cyber Resilience

CVE-2023-0631

HighPublic PoC

Published: 20 March 2023

Published
20 March 2023
Modified
26 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5968 98.3th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0631 is a high-severity SQL Injection (CWE-89) vulnerability in Strangerstudios Paid Memberships Pro. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-0631 is an SQL injection issue tracked as CWE-89 in the Paid Memberships Pro WordPress plugin prior to version 2.9.12. The root cause is insufficient protection that allows shortcodes to concatenate user-controlled attributes directly into SQL queries.

Authenticated subscribers can exploit the flaw over the network with low complexity and no user interaction required, enabling them to read, modify, or delete arbitrary database contents and achieve complete compromise of confidentiality, integrity, and availability.

References published by WPScan describe the affected shortcode paths and indicate that the issue is resolved by upgrading to version 2.9.12 or later.

EPSS for the CVE rose from lower values to a peak of 0.8013 on 2026-02-03 before receding to the current score of 0.5968, indicating post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

strangerstudios
paid memberships pro
≤ 2.9.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References