Search criteria
14 vulnerabilities found for Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction by cozmoslabs
CVE-2025-11835 (GCVE-0-2025-11835)
Vulnerability from nvd – Published: 2025-11-05 03:27 – Updated: 2026-04-08 17:31
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.16.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:14:40.527293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:26:27.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.16.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:09.651Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb1948bd-c5b4-4fbe-9aa6-19f24325e6bb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3383182/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-15T22:04:23.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-04T14:36:11.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11835",
"datePublished": "2025-11-05T03:27:57.526Z",
"dateReserved": "2025-10-15T21:48:26.282Z",
"dateUpdated": "2026-04-08T17:31:09.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12919 (GCVE-0-2024-12919)
Vulnerability from nvd – Published: 2025-01-14 09:21 – Updated: 2026-04-08 17:25
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.7 - Authentication Bypass via pms_payment_id
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.
Severity ?
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:42:16.945669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:43:35.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the \u0027pms_payment_id\u0027 parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:38.671Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a4fa4d-a7d2-4890-b0f5-5fe69bc5e7ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3214706/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-24T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.7 - Authentication Bypass via pms_payment_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12919",
"datePublished": "2025-01-14T09:21:55.299Z",
"dateReserved": "2024-12-24T17:14:52.449Z",
"dateUpdated": "2026-04-08T17:25:38.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11291 (GCVE-0-2024-11291)
Vulnerability from nvd – Published: 2024-12-18 11:09 – Updated: 2026-04-08 17:29
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T16:26:29.579642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T16:29:54.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:05.556Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e207f1a3-2ca5-46d1-91a9-89652451266c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3206206/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-18T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-12-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11291",
"datePublished": "2024-12-18T11:09:31.646Z",
"dateReserved": "2024-11-15T21:37:54.832Z",
"dateUpdated": "2026-04-08T17:29:05.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10261 (GCVE-0-2024-10261)
Vulnerability from nvd – Published: 2024-11-09 11:19 – Updated: 2026-04-08 17:31
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.0 - Unauthenticated Arbitrary Shortcode Execution
Summary
The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cozmoslabs:paid_member_subscriptions:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_member_subscriptions",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:52.521244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:30:55.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:07.721Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-11-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.0 - Unauthenticated Arbitrary Shortcode Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10261",
"datePublished": "2024-11-09T11:19:45.940Z",
"dateReserved": "2024-10-22T20:12:16.856Z",
"dateUpdated": "2026-04-08T17:31:07.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9222 (GCVE-0-2024-9222)
Vulnerability from nvd – Published: 2024-10-02 07:35 – Updated: 2026-04-08 16:59
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.12.8 - Reflected Cross-Site Scripting
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.12.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:iovamihai:paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction",
"vendor": "iovamihai",
"versions": [
{
"lessThanOrEqual": "2.12.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:54:42.456223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:56:55.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.12.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:23.707Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d43235b-9c5e-4d7f-99f0-28dcab4b2a91?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/tags/2.12.8/includes/admin/class-admin-payments-list-table.php#L155"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3160323/#file10"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.12.8 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9222",
"datePublished": "2024-10-02T07:35:28.153Z",
"dateReserved": "2024-09-26T17:12:26.581Z",
"dateUpdated": "2026-04-08T16:59:23.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1390 (GCVE-0-2024-1390)
Vulnerability from nvd – Published: 2024-02-20 18:56 – Updated: 2026-04-08 16:36
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via creating_pricing_table_page
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:52:26.811612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:52:47.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:10.077Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.11.1 - Missing Authorization via creating_pricing_table_page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1390",
"datePublished": "2024-02-20T18:56:19.872Z",
"dateReserved": "2024-02-08T22:16:32.856Z",
"dateUpdated": "2026-04-08T16:36:10.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1389 (GCVE-0-2024-1389)
Vulnerability from nvd – Published: 2024-02-20 18:56 – Updated: 2026-04-08 17:24
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:iovamihai:paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction",
"vendor": "iovamihai",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T20:20:00.881950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:02:56.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:06.007Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1389",
"datePublished": "2024-02-20T18:56:46.095Z",
"dateReserved": "2024-02-08T22:06:28.929Z",
"dateUpdated": "2026-04-08T17:24:06.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11835 (GCVE-0-2025-11835)
Vulnerability from cvelistv5 – Published: 2025-11-05 03:27 – Updated: 2026-04-08 17:31
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.16.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:14:40.527293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:26:27.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.16.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:09.651Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb1948bd-c5b4-4fbe-9aa6-19f24325e6bb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3383182/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-15T22:04:23.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-04T14:36:11.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11835",
"datePublished": "2025-11-05T03:27:57.526Z",
"dateReserved": "2025-10-15T21:48:26.282Z",
"dateUpdated": "2026-04-08T17:31:09.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12919 (GCVE-0-2024-12919)
Vulnerability from cvelistv5 – Published: 2025-01-14 09:21 – Updated: 2026-04-08 17:25
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.7 - Authentication Bypass via pms_payment_id
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.
Severity ?
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:42:16.945669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:43:35.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the \u0027pms_payment_id\u0027 parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:38.671Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a4fa4d-a7d2-4890-b0f5-5fe69bc5e7ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3214706/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-24T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.7 - Authentication Bypass via pms_payment_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12919",
"datePublished": "2025-01-14T09:21:55.299Z",
"dateReserved": "2024-12-24T17:14:52.449Z",
"dateUpdated": "2026-04-08T17:25:38.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11291 (GCVE-0-2024-11291)
Vulnerability from cvelistv5 – Published: 2024-12-18 11:09 – Updated: 2026-04-08 17:29
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T16:26:29.579642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T16:29:54.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:05.556Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e207f1a3-2ca5-46d1-91a9-89652451266c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3206206/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-18T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-12-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11291",
"datePublished": "2024-12-18T11:09:31.646Z",
"dateReserved": "2024-11-15T21:37:54.832Z",
"dateUpdated": "2026-04-08T17:29:05.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10261 (GCVE-0-2024-10261)
Vulnerability from cvelistv5 – Published: 2024-11-09 11:19 – Updated: 2026-04-08 17:31
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.0 - Unauthenticated Arbitrary Shortcode Execution
Summary
The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.13.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cozmoslabs:paid_member_subscriptions:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_member_subscriptions",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:52.521244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:30:55.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:07.721Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-11-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.13.0 - Unauthenticated Arbitrary Shortcode Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10261",
"datePublished": "2024-11-09T11:19:45.940Z",
"dateReserved": "2024-10-22T20:12:16.856Z",
"dateUpdated": "2026-04-08T17:31:07.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9222 (GCVE-0-2024-9222)
Vulnerability from cvelistv5 – Published: 2024-10-02 07:35 – Updated: 2026-04-08 16:59
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.12.8 - Reflected Cross-Site Scripting
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.12.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:iovamihai:paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction",
"vendor": "iovamihai",
"versions": [
{
"lessThanOrEqual": "2.12.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:54:42.456223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:56:55.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.12.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:23.707Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d43235b-9c5e-4d7f-99f0-28dcab4b2a91?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/tags/2.12.8/includes/admin/class-admin-payments-list-table.php#L155"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3160323/#file10"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.12.8 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9222",
"datePublished": "2024-10-02T07:35:28.153Z",
"dateReserved": "2024-09-26T17:12:26.581Z",
"dateUpdated": "2026-04-08T16:59:23.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1389 (GCVE-0-2024-1389)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:56 – Updated: 2026-04-08 17:24
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:iovamihai:paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction",
"vendor": "iovamihai",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T20:20:00.881950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:02:56.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:06.007Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1389",
"datePublished": "2024-02-20T18:56:46.095Z",
"dateReserved": "2024-02-08T22:06:28.929Z",
"dateUpdated": "2026-04-08T17:24:06.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1390 (GCVE-0-2024-1390)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:56 – Updated: 2026-04-08 16:36
VLAI?
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via creating_pricing_table_page
Summary
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cozmoslabs | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction |
Affected:
0 , ≤ 2.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:52:26.811612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:52:47.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction",
"vendor": "cozmoslabs",
"versions": [
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:10.077Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction \u003c= 2.11.1 - Missing Authorization via creating_pricing_table_page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1390",
"datePublished": "2024-02-20T18:56:19.872Z",
"dateReserved": "2024-02-08T22:16:32.856Z",
"dateUpdated": "2026-04-08T16:36:10.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}