CVE-2023-6855

Name of the Vulnerable Software and Affected Versions Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress versions up to 2.12.5

Description The issue arises from an incorrectly implemented capability check in the pmpro rest api get permissions check function, allowing unauthenticated attackers to modify membership levels, including prices. This enables unauthorized changes to membership levels created by the plugin.

Recommendations For versions up to 2.12.5, update to a version later than 2.12.5 to resolve the issue. As a temporary workaround, consider disabling the pmpro rest api get permissions check function until a patch is available. Restrict access to the plugin's API endpoints to minimize the risk of exploitation. Avoid using the plugin's membership level modification features until the issue is resolved.