Unauthorized Data Modification in Paid Membership Subscriptions Plugin for WordPress
CVE-2025-11835

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-11835?

The Paid Membership Subscriptions plugin for WordPress contains a vulnerability that permits unauthorized users to modify data. This issue arises from a lack of adequate capability and validation checks in the PMS_AJAX_Checkout_Handler::process_payment() function. Consequently, an attacker can exploit this flaw to initiate stored auto-renew charges for any member without authentication. All versions up to and including 2.16.4 are susceptible, leaving sites utilizing the plugin at risk of unauthorized financial transactions.

Affected Version(s)

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction * <= 2.16.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3383182/paid...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Rafshanzani Suhada

JSON