Paid Memberships Pro < 2.12.9 – Contributor+ Arbitrary User Custom Field Disclosure | CVE 2024-1279

Description

The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

Proof of Concept

As a contributor,
- Add shortcode to any post and specify/guess any user ID and meta key and save
- Preview the post and see custom field value outputs from any user

Example shortcode: `[pmpro_member user_id="ANY_USER_ID" field="ANY_META_KEY"]`

Affects Plugins

paid-memberships-pro

Fixed in 2.12.9

References

CVE

CVE-2024-1279

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Scott Kingsley Clark

Submitter

Scott Kingsley Clark

Submitter website

https://skc.dev

Submitter twitter

scottkclark

Verified

Yes

WPVDB ID

4c537264-0c23-428e-9a11-7a9e74fb6b69

Timeline

Publicly Published

2024-02-16 (about 2 months ago)

Added

2024-02-16 (about 2 months ago)

Last Updated

2024-02-16 (about 2 months ago)

Other

Published

Title

Published

2024-02-21

Title

Event Tickets and Registration < 5.8.2 - Missing Authorization

Published

2021-11-15

Title

Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Unauthenticated Plugin's Settings Update

Published

2024-02-16

Title

WP Maintenance < 6.1.7 - Information Exposure

Published

2022-12-28

Title

Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF