Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network SSRF (AV:N/AC:L/PR:N/UI:N) that pivots the server against other systems (S:C) with limited disclosure/manipulation and no availability loss (C:L/I:L/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.
AnalysisAI
Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication or user interaction is required (PR:N/UI:N), and the attack is delivered over the network (AV:N) at low complexity (AC:L) against Paid Member Subscriptions <= 3.0.4, so default installations of the vulnerable plugin are exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and internally consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to the vulnerable plugin endpoint with a URL parameter pointing at an internal target, such as http://169.254.169.254/latest/meta-data/ or an internal admin service. The WordPress server dutifully makes the request from its own network position, and the attacker uses the response (or timing/behavioral differences) to enumerate internal hosts or harvest cloud credentials. … |
| Remediation | Upgrade the Paid Member Subscriptions plugin to a version newer than 3.0.4 as published by Cozmoslabs; the exact fixed version is not confirmed in the provided data, so verify the current patched release via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability) and the plugin's WordPress.org page before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan all WordPress instances for Paid Member Subscriptions plugin versions 3.0.4 or earlier; disable the plugin immediately on non-critical systems pending patch availability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Paid Member Subscriptions
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41347
GHSA-7w66-jfcx-mxqh