Login Sign Up

CVE-2020-14092

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows SQL injection attacks in the CodePeople Payment Form for PayPal Pro WordPress plugin before version 1.1.65. Attackers can execute arbitrary SQL commands through the plugin's forms, potentially compromising the WordPress database. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • CodePeople Payment Form for PayPal Pro WordPress plugin
Versions: All versions before 1.1.65
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and active on a WordPress site.

📦 What is this software?

Paypal Pro by Ithemes

View all CVEs affecting Paypal Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, including user credentials, payment data, and sensitive site information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited and tooling exists for automated exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.65

Vendor Advisory: https://wordpress.org/plugins/payment-form-for-paypal-pro/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Payment Form for PayPal Pro'. 4. Click 'Update Now' if available, or download version 1.1.65+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate payment-form-for-paypal-pro

Web Application Firewall

all

Implement WAF rules to block SQL injection patterns

🧯 If You Can't Patch

  • Remove the plugin entirely and use alternative payment solutions
  • Implement strict input validation and parameterized queries at application level

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get payment-form-for-paypal-pro --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.65 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries in WordPress logs
  • SQL error messages containing plugin references
  • Multiple failed login attempts following plugin access

Network Indicators:

  • SQL injection patterns in HTTP POST requests to plugin endpoints
  • Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND "payment-form-for-paypal-pro" AND ("SQL" OR "database error" OR "UNION SELECT")

📊 Metadata

CVE ID: CVE-2020-14092
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14092, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)