Security firm High-Tech Bridge released advisories on Wednesday that detail medium risk vulnerabilities in two WordPress plugins.
Multiple vulnerabilities in the Paid Memberships Pro WordPress plugin can be exploited by an attacker to perform cross-site scripting (XSS) attacks against website administrators, one advisory said.
A SQL injection vulnerability in the Count Per Day WordPress plugin could be exploited by attackers to “execute arbitrary SQL queries in application's database, gain control of potentially sensitive information and compromise the entire website,” the other advisory said.
High-Tech Bridge conducted its research on Paid Memberships Pro version 220.127.116.11 and Count Per Day version 3.4, but indicated that prior versions of both plugins are likely at risk.
Updating to Paid Memberships Pro 18.104.22.168 and Count Per Day 3.4.1 will address the bugs.