WordPress Plugin Vulnerabilities

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.2 - Missing Authorization via pms_stripe_connect_handle_authorization_return

Description

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.

Affects Plugins

Plugin icon
paid-member-subscriptions
Fixed in 2.11.2

References

CVE
CVE-2024-1389
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
1fba64b1-28f9-4d55-9e81-c287ccf297d4

Timeline

Publicly Published
2024-02-13 (about 2 years ago)
Added
2024-02-13 (about 2 years ago)
Last Updated
2024-02-13 (about 2 years ago)

Other

Published
Title
Published
2024-05-20
Title
HT Mega < 2.5.3 - Subscriber+ Options Update
Published
2024-11-18
Title
Classified Listing – Classified ads & Business Directory Plugin < 3.1.16 - Authenticated (Subscriber+) Limited Arbitrary Option Update
Published
2026-01-19
Title
Broadstreet Ads < 1.52.2 - Missing Authorization
Published
2025-09-26
Title
Subscribe To Unlock <= 1.1.5 - Missing Authorization
Published
2025-01-24
Title
WP Fast Total Search < 1.79.262 - Missing Authorization