Skip to main content

Paid Memberships Pro - Add Member From Admin EUVDEUVD-2026-39664

| CVE-2026-57659 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-26 audit@patchstack.com GHSA-2c8x-qv4p-jqcj
8.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network CSRF with no attacker privileges but requiring a logged-in admin to interact (UI:R); forged admin action yields high impact to member data integrity, confidentiality, and availability.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:46 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.

AnalysisAI

Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure admin to malicious page
Delivery
Auto-submit forged add-member request
Exploit
Browser sends admin session cookies
Execution
Plugin processes request without nonce check
Impact
Unauthorized membership account created/modified

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim with an active, authenticated WordPress administrator session for the target site (the privileged feature is admin-facing) and that victim must be induced to load attacker-controlled content while that session is valid - this is the UI:R requirement and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring no attacker privileges but mandating user interaction (UI:R) - consistent with classic CSRF, where the 'PR:N' reflects that the attacker holds no credentials while leverage comes from the victim admin's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page or email containing a hidden auto-submitting form (or image/script request) targeting the plugin's add-member endpoint. While an authenticated WordPress administrator is logged in, they are lured into visiting the page, and their browser silently submits the forged request, causing the site to create or alter a membership account under the admin's authority. …
Remediation Patch status: no exact fixed version was provided in the input, and the only reference is a Patchstack advisory rather than a tagged release, so treat the fix as not independently confirmed and update to the latest available release of 'Paid Memberships Pro - Add Member From Admin' above 0.7.2 once published - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pmpro-add-member-admin/vulnerability/wordpress-paid-memberships-pro-add-member-from-admin-plugin-0-7-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) and the plugin's WordPress.org page for the patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit membership records for unauthorized account modifications and deactivate the plugin if non-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy