SQL Injection Discovered And Fixed In Slimstat Analytics and Paid Memberships Pro

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database.

If exploited, the vulnerability could grant attackers access to privileged information from affected sites’ databases (e.g., usernames and hashed passwords).

We reported the vulnerabilities to the plugin’s authors, and they recently released Slimstat Analytics version and Paid Memberships Pro version 2.9.12 to address them. We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security.

Subscriber+ SQL Injection in Slimstat Analytics

Plugin NameSlimstat Analytics
Plugin URIhttps://wordpress.org/plugins/wp-slimsta
Affected VersionsEvery version between 4.1 and
WPScan IDb82bdd02-b699-4527-86cc-d60b56ab0c55
// Init the database library with the appropriate filters
        if ( strpos ( $_content, 'WHERE:' ) !== false ) {
            $where = html_entity_decode( str_replace( 'WHERE:', '', $_content ), ENT_QUOTES, 'UTF-8' );
            wp_slimstat_db::init( html_entity_decode( $_content, ENT_QUOTES, 'UTF-8' ) );

        switch( $f ) {
            case 'count':
            case 'count-all':
                $output = wp_slimstat_db::count_records( $w, $where, strpos( $f, 'all') === false ) + $o;

The slimstat shortcode allows users to add some filtering logic in the form of SQL WHERE statements by looking for a “WHERE:” token inside the shortcode’s content. This functionality is a problem since, as we’ve reported in another vulnerability advisory before, any users logged onto a site, like subscribers, can render shortcodes in WordPress.

A proof of concept exploit for this vulnerability will be available on this vulnerability’s WPScan entry.

Subscriber+ SQL Injection in Paid Memberships Pro

Plugin NamePaid Memberships Pro
Plugin URIhttps://wordpress.org/plugins/paid-memberships-pro/
Affected VersionsEvery version between 1.5.5 and 2.9.12
WPScan ID19ef92fd-b493-4488-91f0-e6ba51362f79
if($hasaccess && !empty($delay))
        //okay, this post requires membership. start by getting the user's startdate
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND membership_id IN(" . implode(",", array_map( 'esc_sql', $levels ) ) . ") AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";

While, at first sight, it may look like the `membership` shortcode properly escapes the $levels variable before concatenating it to an SQL query, the content it adds is not inserted in the context of a string. This effectively means an attacker can abuse that feature to inject SQL statements, so long as they don’t contain any quotes.

Since shortcodes can be rendered by any logged-in users, like subscribers, this enables low-privileged attackers to leak sensitive information from the database, like usernames and hashed passwords.

A proof of concept exploit for this vulnerability will be made available on this vulnerability’s WPScan entry.


We recommend that you check which version of the plugins your site is using, and if they are within the affected ranges, update them as soon as possible! 

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.


Original researcher: Marc Montpas

Thanks to the rest of the WPScan team for feedback, help, and corrections.

This entry was posted in Vulnerabilities. Bookmark the permalink.

Marc Montpas profile
Marc Montpas

Marc’s interests led him to work in the trenches of cybersecurity for the better part of the last decade, notably at companies like Sucuri and GoDaddy. His journey led him to uncover several high-impact security issues while auditing open-source platforms, like WordPress. He’s an avid Hacker Capture The Flag player and loves to hypothesize new attack vectors.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.3K other subscribers
  • Browse by Topic

  • %d bloggers like this: