Jared Reyes

**Name of the Vulnerable Software and Affected Versions** Paid Memberships Pro versions prior to 3.6.6 **Description** The Paid Memberships Pro plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to modify or disrupt Stripe webhook configurations. This is caused by missing capability checks in the AJAX handlers `wp ajax pmpro stripe create webhook()`, `wp ajax pmpro stripe delete webhook()`, and `wp ajax pmpro stripe rebuild webhook()`. Exploitation can lead to the deletion, creation, or rebuilding of the site's Stripe webhook, which disrupts payment processing, subscription renewal synchronization, cancellation handling, and failed payment management. **Recommendations** Update to a version later than 3.6.5. As a temporary workaround, restrict access to the `wp ajax pmpro stripe create webhook()`, `wp ajax pmpro stripe delete webhook()`, and `wp ajax pmpro stripe rebuild webhook()` handlers.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum versions prior to 2.4.17 **Description** The plugin is susceptible to unauthorized data modification because the `edit()` function in `classes/Posts.php` uses `extract($args, EXTR OVERWRITE)` on user-controlled input. The `post edit` action handler in `Actions.php` passes the `$ REQUEST['post']` variable directly to the `edit()` function. An authenticated attacker with Subscriber-level access or higher can inject `post[guestposting]=1` to overwrite the `$guestposting` variable, bypassing permission checks. Additionally, the use of a hardcoded `wpforo verify form` action for nonce verification across all forum templates allows any user viewing a forum page to obtain a valid nonce. This enables the modification of the title, body, name, and email fields of any forum post, including those in private forums or created by administrators and moderators. Input is processed by `wpforo kses()`, which removes JavaScript but permits rich HTML. **Recommendations** Update the plugin to a version newer than 2.4.16.