Plataforma
wordpress
Componente
paid-member-subscriptions
Corrigido em
2.13.8
CVE-2024-12919 represents a critical Authentication Bypass vulnerability affecting the Paid Membership Subscriptions plugin for WordPress. An attacker can leverage a valid payment ID to gain unauthorized access and impersonate any user on the affected site. This vulnerability impacts versions up to and including 2.13.7. A patch is available from the vendor.
This vulnerability allows unauthenticated attackers to bypass the authentication process entirely. By exploiting the pmspbpaymentredirectlink function with a known payment ID, an attacker can effectively log in as any user who has previously made a purchase on the WordPress site. This grants them full access to the impersonated user's account, including sensitive data, administrative privileges (if the user has them), and the ability to perform actions on behalf of that user. The potential impact includes data breaches, unauthorized modifications to content, and complete compromise of the WordPress site’s user accounts.
This vulnerability has been publicly disclosed and assigned a CVSS score of 9.8 (CRITICAL). While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the high potential impact make it a high-priority vulnerability. It is likely to be targeted by malicious actors. The CVE was published on 2025-01-14.
WordPress sites utilizing the Paid Membership Subscriptions plugin, particularly those with e-commerce functionality or subscription models, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk due to potential delays in patching.
• wordpress / composer / npm:
grep -r 'pms_pb_payment_redirect_link' /var/www/html/wp-content/plugins/paid-membership-subscriptions/• wordpress / composer / npm:
wp plugin list --status=active | grep 'Paid Membership Subscriptions'• wordpress / composer / npm:
wp plugin update --all• generic web:
Check for the existence of the /wp-content/plugins/paid-membership-subscriptions/ directory.
disclosure
Status do Exploit
EPSS
0.11% (percentil 30%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the Paid Membership Subscriptions plugin to a version higher than 2.13.7, as the vendor has released a patch to address this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the pmspbpaymentredirectlink endpoint. This could involve implementing stricter input validation or requiring additional authentication steps for users accessing this functionality. After upgrading, verify the fix by attempting to access a user account using a known payment ID without proper authentication; access should be denied.
Atualize o plugin Paid Membership Subscriptions para a versão mais recente disponível. A vulnerabilidade está presente em versões anteriores à 2.13.8. A atualização corrigirá a falha de autenticação.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-12919 is a critical vulnerability in the Paid Membership Subscriptions plugin for WordPress that allows attackers to bypass authentication using a valid payment ID.
You are affected if you are using Paid Membership Subscriptions plugin versions 2.13.7 or earlier. Upgrade immediately.
Upgrade the Paid Membership Subscriptions plugin to a version higher than 2.13.7. If upgrading is not possible, implement temporary workarounds like restricting access to the vulnerable endpoint.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the official Paid Membership Subscriptions plugin website or WordPress.org plugin repository for the latest advisory and patch information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.