The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.
References
Configurations
History
21 Nov 2024, 08:44
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L528 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L997 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/changeset/3011575/paid-memberships-pro/trunk/includes/rest-api.php?contextall=1&old=2947813&old_path=%2Fpaid-memberships-pro%2Ftrunk%2Fincludes%2Frest-api.php - Issue Tracking | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2?source=cve - Third Party Advisory |
17 Jan 2024, 22:11
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
CWE | CWE-862 | |
First Time |
Strangerstudios paid Memberships Pro
Strangerstudios |
|
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2?source=cve - Third Party Advisory | |
References | () https://plugins.trac.wordpress.org/changeset/3011575/paid-memberships-pro/trunk/includes/rest-api.php?contextall=1&old=2947813&old_path=%2Fpaid-memberships-pro%2Ftrunk%2Fincludes%2Frest-api.php - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L997 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L528 - Issue Tracking | |
CPE | cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:* |
11 Jan 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-11 09:15
Updated : 2024-11-21 08:44
NVD link : CVE-2023-6855
Mitre link : CVE-2023-6855
CVE.ORG link : CVE-2023-6855
JSON object : View
Products Affected
strangerstudios
- paid_memberships_pro
CWE
CWE-862
Missing Authorization