CVE-2024-1407

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 57.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Strangerstudios Paid Memberships PRO

Timeline

PublishedJun 19

Description

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to subscribe to, modify, or cancel membership for a user via a forged request granted they can trick a user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶NVDstrangerstudios/paid_memberships_pro< 3.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Paid Memberships Pro <= 2.12.10 - Cross-Site Request Forgery to Membership Modification↗2024-06-19

▶

GHSA

GHSA-pfq7-73fv-24h8: The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forge↗2024-06-19

▶