Plugin Name: Paid Memberships Pro
- Software Type: Plugin
- Software Slug: paid-memberships-pro
- Software Status: Active
- Software Author: strangerstudios
- Software Downloads: 5,532,954
- Active Installs: 90,000
- Last Updated: January 24, 2024
- Patched Versions: 2.12.8
- Affected Versions: <= 2.12.7
- Name: Paid Memberships Pro <= 2.12.7 - Cross-Site Request Forgery to Level Orders Update
- Type: Cross-Site Request Forgery (CSRF)
- CVE: CVE-2024-0624
- CVSS Score: 5.3 (Medium)
- Publicly Published: January 24, 2024
- Researcher: kodaichodai
- Description: The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Paid Memberships Pro for WordPress has a vulnerability in versions up to and including 2.12.7 that allows unauthenticated attackers to update the order of membership levels by tricking an admin into clicking a forged link. This Cross-Site Request Forgery vulnerability has been patched in version 2.12.8.
The vulnerability, discovered by researcher kodaichodai, is due to improper validation of nonces in the pmpro_update_level_order() function of the plugin. This makes it possible for attackers to send a forged request that updates membership level order if they can trick a site admin into clicking a link or performing another action. Successful exploitation gives the attacker control over the order in which membership levels are displayed.
While the CVSS score is medium at 5.3, this could enable further attacks by manipulating level permissions. Users are strongly advised to update as soon as possible.
Advice for Users:
- Immediate Action: Upgrade to version 2.12.8 or higher as soon as possible.
- Check for Signs of Compromise: Review membership level order and permissions to confirm they match intended configurations.
- Alternate Plugins: Consider using an alternate membership plugin like MemberPress as a precaution.
- Stay Updated: Enable automatic updates for plugins to get vulnerability fixes as soon as they become available.
This CSRF vulnerability allowed unauthenticated access to manipulate membership data, underscoring the importance of validation and rapid response. Users should upgrade immediately to prevent potential follow-on attacks.
Managing a small business is a constant juggling act. Finding time to stay on top of your website’s security vulnerabilities likely falls low on the priority list. But outdated plugins and themes open backdoors for attackers to compromise your site. Unfortunately, a popular premium membership plugin called Paid Memberships Pro has a vulnerability in versions up to and including 2.12.7 that puts over 90,000 WordPress sites at risk.
About Paid Memberships Pro
With over 5.5 million downloads and 90,000+ active installs, Paid Memberships Pro is a top plugin for offering subscription content and member areas on WordPress sites. This membership management plugin is full-featured yet easy to use, making it a go-to choice for small business owners.
Cross-Site Request Forgery Vulnerability
Researcher kodaichodai discovered that Paid Memberships Pro is susceptible to a cross-site request forgery (CSRF) vulnerability. This issue stems from improper validation of requests that enables unauthorized users to manipulate the order of membership levels if they trick an admin into clicking a malicious link.
While a surface-level glance shows a relatively harmless issue, this exploit gives attackers an initial foothold to launch more dangerous follow-on attacks. The vulnerability is especially risky since membership level order often correlates to access permissions.
Risks & Impacts
Successful exploitation of this vulnerability lets attackers:
- Reorder membership levels at will
- Potentially elevate permissions by moving lower access levels up
- Open the door for additional attacks like overriding other permission settings
Attackers can leverage an initial small compromise to eventually gain full admin access, steal data, deliver malware to your site visitors, and seriously disrupt your business.
How to Fix This Vulnerability
The good news is the Paid Memberships Pro team has already patched this CSRF exploit in version 2.12.8. Upgrading cleans up the flaw and restores your site security. Due to the severity and ease of exploiting this vulnerability, all users should upgrade immediately.
If you need help updating or want a full site audit to check for other vulnerabilities, our WordPress security team offers affordable website security services for small businesses.
Paid Memberships Pro has had 17 previous vulnerabilities reported since November 2014, indicating multiple avenues for potential compromise. While the developers responded quickly to patch this latest issue, staying on outdated versions leaves you in the crosshairs.
Stay on Top of Security Updates
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.