CVE-2024-1389
published 2024-02-29CVE-2024-1389: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.52%
40.2th percentile
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | membership_content_restriction_paid_member_subscriptions | < 2.11.2 | 2.11.2 |
| fortinet | fortios | — | — |
| fortinet | fortiproxy | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vx3h-hfch-2ch8: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorize
ghsa_unreviewed·2024-02-29
CVE-2024-1389 [MEDIUM] CWE-862 GHSA-vx3h-hfch-2ch8: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorize
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.
Fortinet
FortiOS - IP address validation mishandles zero characters
vendor_fortinet·2024-07-09·CVSS 3.4
CVE-2024-26015 [LOW] CWE-1389 FortiOS - IP address validation mishandles zero characters
FG-IR-23-446: FortiOS - IP address validation mishandles zero characters
An incorrect parsing of numbers with different radices vulnerability [CWE-1389] in FortiProxy version 7.4.3 and below, version 7.2.10 and below, version 7.0.17 and below and FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.15 and below IP address validation feature may permit an unauthenticated attacker to bypass the IP blocklist via crafted requests.
CVEs: CVE-2024-26015
CWEs: CWE-1389, CWE-704
CVSS: 3.4 (low)
Affected products: FortiOS, FortiProxy
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cvehttps://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve
2024-02-29
Published