CVE-2021-25114: 
WordPress vulnerability analysis and mitigation

The Paid Memberships Pro WordPress plugin versions before 2.6.7 contained an unauthenticated SQL injection vulnerability (CVE-2021-25114). The vulnerability existed because the plugin failed to properly escape the discount_code parameter in one of its REST routes, which was accessible to unauthenticated users (WPScan).

The vulnerability was discovered in the REST API endpoint that handles checkout levels. The issue specifically involved the discountcode parameter in the /pmpro/v1/checkoutlevel route, which was not properly escaped before being used in SQL queries. The vulnerability received a CVSS score of 10.0 (Critical), indicating the highest severity level. It was classified as a SQL Injection (SQLI) vulnerability falling under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

The vulnerability could be exploited to perform distributed denial of service (DDoS) attacks and potentially allow attackers to access sensitive information from the WordPress database that was not intended to be public (PMPro Blog).

The vulnerability was patched in version 2.6.7 of the Paid Memberships Pro plugin. The fix involved updating the escaping in the pmprogetLevelAtCheckout and pmprocheckDiscountCode functions by wrapping the $discountcode and $levelid variables with the esc_sql function. Users were advised to update to version 2.6.7 as soon as possible (PMPro Blog).