Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction, CVE-2024-12919

CVE, Research URL: CVE-2024-12919
Home page URL: Security reports for Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Application: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Published on: Jan 14, 2025
Research Description: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.
Affected versions: Min -, max 2.13.8.
Status: vulnerable

Paid Membership Subscriptions &#8211; Effortless Memberships, Recurring Payments &amp; Content Restriction, CVE-2024-12919