Paid Membership Pro, a WordPress plugin, prior to 2.9.8 is affected by an unauthenticated SQL injection via the `code` parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from the `wp_users` table of the affected WordPress installation. These password hashes can then be cracked offline using tools such as Hashcat to obtain valid login credentials for the affected WordPress installation.
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security