Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network CSRF with no attacker privileges but requiring a logged-in admin to interact (UI:R); forged admin action yields high impact to member data integrity, confidentiality, and availability.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.
AnalysisAI
Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim with an active, authenticated WordPress administrator session for the target site (the privileged feature is admin-facing) and that victim must be induced to load attacker-controlled content while that session is valid - this is the UI:R requirement and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring no attacker privileges but mandating user interaction (UI:R) - consistent with classic CSRF, where the 'PR:N' reflects that the attacker holds no credentials while leverage comes from the victim admin's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page or email containing a hidden auto-submitting form (or image/script request) targeting the plugin's add-member endpoint. While an authenticated WordPress administrator is logged in, they are lured into visiting the page, and their browser silently submits the forged request, causing the site to create or alter a membership account under the admin's authority. … |
| Remediation | Patch status: no exact fixed version was provided in the input, and the only reference is a Patchstack advisory rather than a tagged release, so treat the fix as not independently confirmed and update to the latest available release of 'Paid Memberships Pro - Add Member From Admin' above 0.7.2 once published - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pmpro-add-member-admin/vulnerability/wordpress-paid-memberships-pro-add-member-from-admin-plugin-0-7-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) and the plugin's WordPress.org page for the patched version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit membership records for unauthorized account modifications and deactivate the plugin if non-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39664
GHSA-2c8x-qv4p-jqcj