Paid Memberships Pro < 2.12.6 – Missing Authorization via API | CVE 2023-6855 | Plugin Vulnerabilities

Description

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.

Affects Plugins

paid-memberships-pro

Fixed in 2.12.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

cbb3c0a0-b9e0-48e5-9cf0-a8e0b2fdff31

Timeline

Publicly Published

2023-12-21 (about 2 years ago)

Added

2023-12-22 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2026-04-15

Title

Basic Google Maps Placemarks < 1.10.8 - Missing Authorization to Unauthenticated Default Map Coordinate Update

Published

2025-12-31

Title

QuadLayers TikTok Feed <= 4.6.4 - Missing Authorization

Published

2025-10-05

Title

Nelio Content < 4.0.6 - Missing Authorization

Published

2025-05-16

Title

AnyWhere Elementor Pro <= 2.29 - Missing Authorization

Published

2026-04-15

Title

Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter