Primary

Context

Paid Membership Subscriptions WordPress Plugin Missing Authorization Vulnerability in Process Payment Function

Vulnerability

Patched

A vulnerability exists in the Paid Membership Subscriptions WordPress plugin, specifically in versions through 2.16.4. The issue arises from a missing capability and validation check in the PMS_AJAX_Checkout_Handler::process_payment() function. This flaw allows unauthenticated attackers to manipulate data by triggering stored auto-renewal charges for arbitrary members.

Impact

Exploitation of this vulnerability allows for unauthorized initiation of auto-renewal charges on behalf of any member, potentially leading to unauthorized financial transactions.

Remediation

Users can update to version 2.16.5 or a newer patched version to address this vulnerability.

Added: Nov 5, 2025, 4:17 AM

Updated: Nov 5, 2025, 4:17 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.2

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.2

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Paid Membership Subscriptions WordPress Plugin Missing Authorization Vulnerability in Process Payment Function

Vulnerability

Impact

Remediation

Affected Products

Cozmoslabs Paid Membership Subscriptions

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating