Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring a victim click (UI:R); script executes in browser context crossing scope (S:C) with limited C/I/A.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions.
AnalysisAI
Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.
Technical ContextAI
Paid Member Subscriptions is a WordPress plugin by Cozmoslabs (CPE cpe:2.3:a:cozmoslabs:paid_member_subscriptions) that handles paid memberships, subscriptions, and restricted content on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected back into an HTML response without proper output encoding or contextual escaping. In this class of bug, a request parameter is echoed into the page so that injected <script> or attribute-breaking payloads execute in the victim's browser under the site's origin. The CVSS scope-change flag (S:C) indicates the injected script can act beyond the vulnerable component - typical for stored/reflected XSS in WordPress because malicious script in the public site context can pivot to authenticated admin sessions and the WordPress admin component.
RemediationAI
Upgrade the Paid Member Subscriptions plugin to a version newer than 2.17.3 as soon as a fixed release is published by Cozmoslabs; no specific fixed version is enumerated in the provided data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-2-17-3-reflected-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org changelog for the patched release. Until upgraded, compensating controls include deploying a WAF rule (e.g., Patchstack, Wordfence) to filter reflected XSS payloads against plugin endpoints, enforcing a strict Content-Security-Policy that forbids inline scripts on pages served by the plugin (trade-off: may break legitimate inline handlers in themes), and instructing administrators not to click membership-related links from untrusted sources. Disabling or uninstalling the plugin entirely is the most reliable workaround but will break paid membership and subscription functionality on the site.
More in Paid Member Subscriptions
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36953
GHSA-pph5-c47c-2wv3