Paid Memberships Pro < 2.12.9 – Contributor+ Arbitrary User Custom Field Disclosure | CVE 2024-1279

Description

The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

Proof of Concept

As a contributor,
- Add shortcode to any post and specify/guess any user ID and meta key and save
- Preview the post and see custom field value outputs from any user

Example shortcode: `[pmpro_member user_id="ANY_USER_ID" field="ANY_META_KEY"]`

Affects Plugins

paid-memberships-pro

Fixed in 2.12.9

References

CVE

CVE-2024-1279

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

4.9 (medium)

Miscellaneous

Original Researcher

Scott Kingsley Clark

Submitter

Scott Kingsley Clark

Submitter website

https://skc.dev

Submitter twitter

scottkclark

Verified

Yes

WPVDB ID

4c537264-0c23-428e-9a11-7a9e74fb6b69

Timeline

Publicly Published

2024-02-16 (about 1 year ago)

Added

2024-02-16 (about 1 year ago)

Last Updated

2024-02-16 (about 1 year ago)

Other

Published

Title

Published

2022-01-06

Title

Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update

Published

2024-09-25

Title

Jupiter X Core < 4.7.8 - Limited Unauthenticated Authentication Bypass to Account Takeover

Published

2021-10-18

Title

Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access

Published

2024-12-19

Title

Maintenance & Coming Soon Redirect Animation < 2.3.0 - Missing Authorization to Settings Update

Published

2021-08-18

Title

Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls