Paid Membership Pro < 2.5.3 – Unauthorised Order Information Disclosure

Description

The pmpro_get_order_json AJAX action, available to authenticated user did not check for authorisation, allowing any authenticated users to retrieve arbitrary order information (such as customer names, email addresses, and order numbers) via the order_id parameter.

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=pmpro_get_order_json&order_id=X

Affects Plugins

paid-memberships-pro

Fixed in 2.5.3

References

URL

https://plugins.trac.wordpress.org/changeset/2463181

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

6.5 (medium)

Miscellaneous

Verified

Yes

WPVDB ID

f82e76e5-94df-49e4-8f10-6524e26b0284

Timeline

Publicly Published

2021-02-06 (about 5 years ago)

Added

2021-02-06 (about 5 years ago)

Last Updated

2021-02-06 (about 5 years ago)

Other

Published

Title

Published

2023-10-24

Title

Draw Attention < 2.0.16 - Improper Access Control via register_cpt

Published

2024-04-18

Title

Frontend Admin by DynamiApps < 3.19.5 - Improper Missing Encryption Exception Handling to Form Manipulation

Published

2025-07-03

Title

DocCheck Login < 1.1.6 - Unauthorized Post Access

Published

2024-02-06

Title

Customer Reviews for WooCommerce < 5.39.0 - Improper Authorization via submit_review

Published

2024-10-31

Title

Multiple Page Generator Plugin – MPG < 4.0.2 - Missing Authorization