CVE-2022-27629
📋 TL;DR
This CSRF vulnerability in the MicroPayments WordPress plugin allows unauthenticated attackers to trick administrators into performing unintended actions. Attackers can hijack administrator sessions to modify plugin settings, potentially affecting membership, content access, or payment configurations. All WordPress sites using affected plugin versions are at risk.
💻 Affected Systems
- MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership WordPress plugin
📦 What is this software?
Micropayments by Videowhisper
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of membership system allowing unauthorized access to paid content, modification of payment settings, or disabling security features.
Likely Case
Unauthorized changes to membership settings, content access rules, or plugin configuration leading to data exposure or financial impact.
If Mitigated
No impact if proper CSRF protections are implemented and administrators follow security best practices.
🎯 Exploit Status
CSRF attacks are well-understood and easy to weaponize. Attack requires administrator to visit malicious page while authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.6
Vendor Advisory: https://wordpress.org/plugins/paid-membership/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.9.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
CSRF Protection Headers
allImplement Content Security Policy headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com;"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com;";
Plugin Deactivation
allTemporarily disable vulnerable plugin until patched
wp plugin deactivate paid-membership
Or via WordPress admin: Plugins → Installed Plugins → Deactivate
🧯 If You Can't Patch
- Implement strict SameSite cookie policies for WordPress authentication cookies
- Require administrators to use separate browser profiles for admin tasks and general browsing
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → View version of 'MicroPayments' pluginCheck Version:
wp plugin get paid-membership --field=versionVerify Fix Applied:
Confirm plugin version is 1.9.6 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual plugin configuration changes in WordPress logs
- Multiple failed CSRF token validations in short timeframe
- Administrator actions from unexpected IP addresses or user-agents
Network Indicators:
- POST requests to WordPress admin-ajax.php or admin-post.php without proper referrer headers
- Cross-origin requests to plugin administration endpoints
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" OR "admin-post.php") AND ("action=pmpro_" OR "plugin=paid-membership") AND NOT referer="*wp-admin*"🔗 References
- https://jvn.jp/en/jp/JVN31606885/index.html
- https://plugins.trac.wordpress.org/changeset?new=2362275%40paid-membership&old=2345274%40paid-membership
- https://wordpress.org/plugins/paid-membership/
- https://jvn.jp/en/jp/JVN31606885/index.html
- https://plugins.trac.wordpress.org/changeset?new=2362275%40paid-membership&old=2345274%40paid-membership
- https://wordpress.org/plugins/paid-membership/
