The MStore API WordPress plugin before 3.9.8 does not...
Critical severity
Unreviewed
Published
Jul 10, 2023
to the GitHub Advisory Database
•
Updated Apr 4, 2024
Description
Published by the National Vulnerability Database
Jul 10, 2023
Published to the GitHub Advisory Database
Jul 10, 2023
Last updated
Apr 4, 2024
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.
References