Paid Memberships Pro < 2.12.4 – Subscriber+ Arbitrary File Upload | CVE 2023-6187 | Plugin Vulnerabilities

Description

The plugin does not properly validate file type in its pmpro_paypalexpress_session_vars_for_user_fields() function, which could allow any authenticated users, such as subscriber to upload arbitrary files on the server.

Note: Exploitation of the issue requires 2Checkout (deprecated since version 2.6) or PayPal Express to be set set as the payment method and a custom user field is added that is only visible at profile, and not visible at checkout according to its settings.

Affects Plugins

paid-memberships-pro

Fixed in 2.12.4

References

CVE

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

d50dbfb9-5759-415a-8638-73c622b44793

Timeline

Publicly Published

2023-11-16 (about 2 years ago)

Added

2023-11-18 (about 2 years ago)

Last Updated

2023-11-18 (about 2 years ago)

Other

Published

Title

Published

2025-11-10

Title

Blocksy Companion < 2.1.20 - Author+ Arbitrary File Upload via SVG Upload Bypass

Published

2014-08-01

Title

wp-seo-spy-google - ofc_upload_image.php Arbitrary File Upload

Published

2024-11-13

Title

Convert Docx2post <= 1.4 - Authenticated (Author+) Arbitrary File Upload

Published

2014-08-01

Title

Evarisk 5.1.5.4 - include/lib/actionsCorrectives/activite/uploadPhotoApres.php File Upload PHP Code Execution

Published

2026-02-18

Title

Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.2 - Unauthenticated Limited File Upload