CVE-2023-23488: 
WordPress vulnerability analysis and mitigation

The Paid Memberships Pro WordPress Plugin versions prior to 2.9.8 was affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route (Tenable Advisory, NVD). The vulnerability was discovered by Joshua Martinelle and disclosed on January 20, 2023.

The vulnerability exists due to improper sanitization and escaping of the 'code' parameter before its use in SQL statements via the /pmpro/v1/order REST route. This allows unauthenticated attackers to perform SQL injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature (NVD, WPScan).

The vulnerability allows attackers to execute arbitrary SQL commands on the affected WordPress installation's database. This could lead to unauthorized access to sensitive data, including the ability to retrieve WordPress usernames and password hashes using Time-Based Blind SQL Injection techniques (Rapid7).

The vulnerability was patched in version 2.9.8 of the Paid Memberships Pro WordPress plugin. Users are strongly advised to update to this version or later to protect against potential attacks (Tenable Advisory).