CVE-2020-36754

Summary

The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for unauthenticated attackers to save pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Software

VendorProductVersion RangeStatus
strangerstudiosPaid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions0 < 2.4.3affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References