Paid Member Subscriptions
Monthly
Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.
Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.
Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.
Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.