Critical vulnerability in Simple Membership, popular WordPress plugin; update now

Information security experts reported the finding of a critical vulnerability in Simple Membership, a popular WordPress plugin that allows webmasters to easily manage memberships on their websites.

According to the report, successful exploitation of this flaw would allow threat actors to execute arbitrary SQL queries against the website database, which could lead to other risk scenarios.  

Below is a brief summary of the reported flaw, in addition to its identification key and assigned score according to the Common Vulnerability Scoring System (CVSS).

Tracked as CVE-2021-29232, this flaw exists due to inadequate disinfection of user-entered data in multiple parameters, which could be exploited by threat actors to send specially crafted requests to Simple Membership in order to execute arbitrary SQL commands on the affected database.

The flaw received a CVSS score of 7.1/10 and its successful exploitation would allow malicious hackers to read, delete or modify the information on the vulnerable website, as well as gain full control over the plugin.

This vulnerability resides in the following versions of Simple Membership: 1.2, 1.3, 1.4, 1.5, 1.5.1, 1.6, 1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8 , 1.7.9, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.9.0, 1.9 .1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 2.0, 2.1, 2.1.1, 2.1.2, 2.1.3 , 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6 , 2.2.7, 2.2.8, 2.2.9, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9 , 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2 .2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4 , 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4 .7, 3.4.8, 3.4.9, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9 , 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7 .2, 3.7.3, 3.7.4, 3.7.5, 3.7.5.1, 3.7.6, 3.7.7, 3.7.8, 3.7.9, 3.8.0, 3.8.1, 3.8.2, 3.8.3 , 3.8.4 , 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9 .7, 3.9.8, 3.9.9, 4.0.0, 4.0.1, 4.0.2 & 4.0.3.

Although flaws can be exploited remotely by unauthenticated threat actors, information security experts claim that no attempts to active exploit or the existence of a malware variant associated with the attack have been detected so far.

Updates are now available, so it is recommended that all Simple Membership users install them as soon as possible. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.