CVE-2023-6855

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.
Configurations

Configuration 1 (hide)

cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*

History

17 Jan 2024, 22:11

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CWE CWE-862
CPE cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*
First Time Strangerstudios paid Memberships Pro
Strangerstudios
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2?source=cve - Third Party Advisory
References () https://plugins.trac.wordpress.org/changeset/3011575/paid-memberships-pro/trunk/includes/rest-api.php?contextall=1&old=2947813&old_path=%2Fpaid-memberships-pro%2Ftrunk%2Fincludes%2Frest-api.php - () https://plugins.trac.wordpress.org/changeset/3011575/paid-memberships-pro/trunk/includes/rest-api.php?contextall=1&old=2947813&old_path=%2Fpaid-memberships-pro%2Ftrunk%2Fincludes%2Frest-api.php - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L997 - () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L997 - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L528 - () https://plugins.trac.wordpress.org/browser/paid-memberships-pro/trunk/includes/rest-api.php#L528 - Issue Tracking

11 Jan 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-11 09:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-6855

Mitre link : CVE-2023-6855

CVE.ORG link : CVE-2023-6855


JSON object : View

Products Affected

strangerstudios

  • paid_memberships_pro
CWE
CWE-862

Missing Authorization