WordPress Plugin Vulnerability Report – Paid Memberships Pro – Authenticated (Subscriber+) Arbitrary File Upload – CVE-2023-6187

Plugin Name: Paid Memberships Pro

Key Information:

  • Software Type: Plugin
  • Software Slug: paid-memberships-pro
  • Software Status: Active
  • Software Author: strangerstudios
  • Software Downloads: 5,334,391
  • Active Installs: 90,000
  • Last Updated: November 16, 2023
  • Patched Versions: 2.12.4
  • Affected Versions: <= 2.12.3

Vulnerability Details:

  • Name: Paid Memberships Pro <= 2.12.3 - Authenticated (Subscriber+) Arbitrary File Upload
  • Title: Authenticated (Subscriber+) Arbitrary File Upload
  • Type: Unrestricted Upload of File with Dangerous Type
  • CVE: CVE-2023-6187
  • CVSS Score: 7.5 (High)
  • Publicly Published: November 16, 2023
  • Researcher: István Márton
  • Description: The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since version 2.6) or PayPal Express is set as the payment method and a custom user field is added that is only visible at profile, and not visible at checkout according to its settings.

Summary:

The Paid Memberships Pro for WordPress has a vulnerability in versions up to and including 2.12.3 that allows authenticated users with subscriber privileges or higher to upload arbitrary files. This vulnerability has been patched in version 2.12.4.

Detailed Overview:

The Paid Memberships Pro plugin for WordPress contains an arbitrary file upload vulnerability due to insufficient validation of uploaded file types in the 'pmpro_paypalexpress_session_vars_for_user_fields' function. This issue was reported by researcher István Márton and impacts Paid Memberships Pro versions up to and including 2.12.3.

The vulnerability allows authenticated users with subscriber privileges or higher to upload files of any type to the server by exploiting the lack of restrictions on allowed file types. This could enable remote code execution if malicious files are uploaded.

The issue is exploitable if the vulnerable Paid Memberships Pro configurations uses either 2Checkout or PayPal Express as the payment gateway, and has custom user profile fields enabled that are set to be visible at profile but not checkout.

This is a serious vulnerability that puts WordPress sites at risk of compromise. Paid Memberships Pro has high download counts, so many sites are likely affected.

Advice for Users:

  1. Immediate Action: Update to Paid Memberships Pro version 2.12.4 as soon as possible.
  2. Check for Signs of Vulnerability: Review your server logs for any unexpected file uploads by subscribers. Also scan files for anything suspicious.
  3. Alternate Plugins: Consider using an alternate membership plugin like MemberPress as a precaution until you can fully update.
  4. Stay Updated: Always keep your WordPress plugins updated to avoid vulnerabilities like this being exploited.

Conclusion:

The quick response by the Paid Memberships Pro developers to address this vulnerability is positive. Users should still treat this seriously and update as soon as possible. Running the latest plugin versions is critical to lock down WordPress sites against emerging threats.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/paid-memberships-pro

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/paid-memberships-pro/paid-memberships-pro-2123-authenticated-subscriber-arbitrary-file-upload

Detailed Report:

Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, too many site owners fail to regularly update and patch vulnerabilities that leave them exposed to attacks. This was demonstrated once again with the recent disclosure of a serious arbitrary file upload vulnerability in a popular WordPress membership plugin, Paid Memberships Pro.

Paid Memberships Pro is a widely used plugin with over 5 million downloads that allows site owners to offer premium content and features to paying members. However, versions up to and including 2.12.3 contain a vulnerability that allows authenticated users - like paying subscribers - to upload arbitrary files of any type to the site's server.

This vulnerability, now patched in version 2.12.4, is cause for concern given the large user base of over 90,000 active sites. It allows an attacker to potentially compromise a WordPress site by uploading malicious files, like a web shell, to enable further access and control.

The vulnerability exists because of insufficient validation of uploaded file types in the plugin's code. By exploiting this, an attacker can bypass restrictions on allowed files and upload anything. This is incredibly dangerous, especially since paying subscribers often have enhanced permissions compared to regular site visitors.

If your site is running Paid Memberships Pro, you should immediately update to version 2.12.4 to ensure you have the fix in place for this serious security flaw. Also be on the lookout for any unexpected files that may have been uploaded before you updated.

This is not the first vulnerability found in Paid Memberships Pro either - there have been 14 previous issues reported since November 2014. This highlights the ongoing importance of staying on top of updates and security notices, even for popular, well-established plugins.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WordPress Plugin Vulnerability Report – Paid Memberships Pro – Authenticated (Subscriber+) Arbitrary File Upload – CVE-2023-6187 FAQs

Leave a Comment