Skip to main content

Paid Member Subscriptions CVE-2026-39514

| EUVDEUVD-2026-36953 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-pph5-c47c-2wv3
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring a victim click (UI:R); script executes in browser context crossing scope (S:C) with limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:21 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions.

AnalysisAI

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

Technical ContextAI

Paid Member Subscriptions is a WordPress plugin by Cozmoslabs (CPE cpe:2.3:a:cozmoslabs:paid_member_subscriptions) that handles paid memberships, subscriptions, and restricted content on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected back into an HTML response without proper output encoding or contextual escaping. In this class of bug, a request parameter is echoed into the page so that injected <script> or attribute-breaking payloads execute in the victim's browser under the site's origin. The CVSS scope-change flag (S:C) indicates the injected script can act beyond the vulnerable component - typical for stored/reflected XSS in WordPress because malicious script in the public site context can pivot to authenticated admin sessions and the WordPress admin component.

RemediationAI

Upgrade the Paid Member Subscriptions plugin to a version newer than 2.17.3 as soon as a fixed release is published by Cozmoslabs; no specific fixed version is enumerated in the provided data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-2-17-3-reflected-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org changelog for the patched release. Until upgraded, compensating controls include deploying a WAF rule (e.g., Patchstack, Wordfence) to filter reflected XSS payloads against plugin endpoints, enforcing a strict Content-Security-Policy that forbids inline scripts on pages served by the plugin (trade-off: may break legitimate inline handlers in themes), and instructing administrators not to click membership-related links from untrusted sources. Disabling or uninstalling the plugin entirely is the most reliable workaround but will break paid membership and subscription functionality on the site.

Share

CVE-2026-39514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy