First published: Thu Jan 11 2024(Updated: )
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Paid Memberships Pro | <=2.12.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-6855 has a medium severity level due to its potential for unauthorized modification of membership levels.
To fix CVE-2023-6855, update the Paid Memberships Pro plugin to version 2.12.6 or later.
The potential impacts of CVE-2023-6855 include unauthorized access to modify membership levels, which could compromise user data.
CVE-2023-6855 affects Paid Memberships Pro versions up to and including 2.12.5.
The vulnerability in CVE-2023-6855 is due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function.