CVE-2023-6855

MEDIUM

Paid Memberships Pro < 2.12.5 - Unauthenticated Membership Level Modification via Incorrect Capability Check

Title source: llm
STIX 2.1

Description

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.

Scores

CVSS v3 5.3
EPSS 0.0051
EPSS Percentile 39.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
strangerstudios/Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions < 2.12.5
strangerstudios/paid_memberships_pro < 2.12.5
Published Jan 11, 2024
Tracked Since Feb 18, 2026