Skip to main content

Paid Member Subscriptions

2 CVEs product

Monthly

CVE-2026-57348 HIGH This Week

Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.

SSRF Paid Member Subscriptions
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-39514 HIGH This Week

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

XSS Paid Member Subscriptions
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.

SSRF Paid Member Subscriptions
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

XSS Paid Member Subscriptions
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy