Cross-Site Request Forgery Vulnerability in Subscriptions & Memberships for PayPal Plugin
CVE-2024-13560

4.3MEDIUM

Key Information:

Vendor: Scottpaterson
Status: Subscriptions & Memberships For Paypal
Vendor: CVE Published:; 26 February 2025

Summary

The Subscriptions & Memberships for PayPal plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in its functions. This vulnerability enables unauthenticated attackers to initiate malicious requests that could result in the deletion of arbitrary posts, provided they can deceive an administrator into executing a malicious link. All versions up to and including 1.1.6 are affected.

Affected Version(s)

Subscriptions & Memberships for PayPal * <= 1.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/subscriptions-memberships-f...

https://plugins.trac.wordpress.org/changeset/3246039/subs...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

Krzysztof Zając