How to fix CVE-2024-12919?

Within 7 days: Identify all affected systems running for WordPress is vulnerable to Authentication Bypass in all and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.

Is Membership Content Restriction Paid Member Subscriptions affected by CVE-2024-12919?

Organizations using for WordPress is vulnerable to Authentication Bypass in all face critical risk from CVE-2024-12919, a improper authentication vulnerability rated CVSS 9.8. Attackers could bypass security controls to gain unauthorized access to protected resources and sensitive data.

Membership Content Restriction Paid Member Subscriptions CVE-2024-12919

CRITICAL

Improper Authentication (CWE-287)

2025-01-14 [email protected]

Authentication Bypass WordPress Membership Content Restriction Paid Member Subscriptions

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:03 vuln.today

Patch released

Mar 28, 2026 - 18:03 nvd

Patch available

CVE Published

Jan 14, 2025 - 10:15 nvd

CRITICAL 9.8

DescriptionNVD

The Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.

AnalysisAI

The Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. The Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site. Affected products include: Cozmoslabs Membership \& Content Restriction - Paid Member Subscriptions.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

CVE-2024-12919 vulnerability details – vuln.today

Back

Membership Content Restriction Paid Member Subscriptions CVE-2024-12919

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code