Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.2 – Missing Authorization via creating_pricing_table_page | CVE 2024-1390 | Plugin Vulnerabilities

Description

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.

Affects Plugins

paid-member-subscriptions

Fixed in 2.11.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

ae56ff7a-aecc-4c1d-a021-c1e26523eb9c

Timeline

Publicly Published

2024-02-13 (about 2 years ago)

Added

2024-02-13 (about 2 years ago)

Last Updated

2024-02-13 (about 2 years ago)

Other

Published

Title

Published

2024-04-05

Title

Easy Social Share Buttons < 9.5 - Missing Authorization

Published

2025-01-16

Title

OPSI Israel Domestic Shipments <= 2.8.2 - Missing Authorization

Published

2025-12-20

Title

Redirection for Contact Form 7 < 3.2.8 - Unauthenticated Arbitrary File Copy

Published

2026-01-19

Title

Custom Fonts – Host Your Fonts Locally < 2.1.17 - Missing Authorization to Unauthenticated Font Deletion

Published

2025-01-06

Title

WordPress File Upload < 4.25.0 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal