Paid Memberships Pro <= 2.12.3 - Authenticated (Subscriber+) Arbitrary File Upload
Summary
| CVE | CVE-2023-6187 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-11-18 02:15:49 UTC |
| Updated | 2026-04-08 18:18:35 UTC |
| Description | The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since version 2.6) or PayPal Express is set as the payment method and a custom user field is added that is only visible at profile, and not visible at checkout according to its settings. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-434 | CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Strangerstudios | Paid Memberships Pro | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Strangerstudios | Paid Memberships Pro Content Restriction User Registration Paid Subscriptions | affected 2.12.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.paidmembershipspro.com/pmpro-update-2-12-4 | af854a3a-2127-422b-91ae-364da2661108 | www.paidmembershipspro.com | Product |
| plugins.trac.wordpress.org/changeset/2997319/paid-memberships-pro/tags/2.12.4/includes/f... | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| www.wordfence.com/threat-intel/vulnerabilities/id/5979f2eb-2ca8-4b06-814c-c4236... | af854a3a-2127-422b-91ae-364da2661108 | www.wordfence.com | Patch, Third Party Advisory |
| plugins.trac.wordpress.org/changeset/2997319/paid-memberships-pro/tags/2.12.4/includes/f... | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Patch |
| plugins.trac.wordpress.org/browser/paid-memberships-pro/tags/2.12.3/includes/fields.php | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: István Márton (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2023-11-14T00:00:00.000Z | Discovered |
| CNA | 2023-11-14T00:00:00.000Z | Vendor Notified |
| CNA | 2023-11-16T00:00:00.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.