CVE-2024-10261 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-10261?

CVE-2024-10261 has a CVSS score of 7.3 (HIGH). This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes in the Paid Membership Subscriptions plugin. Attackers can potentially run malicious code, access restricted content, or modify site behavior. All WordPress sites using this plugin up to version 2.13.0 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes in the Paid Membership Subscriptions plugin. Attackers can potentially run malicious code, access restricted content, or modify site behavior. All WordPress sites using this plugin up to version 2.13.0 are affected.

💻 Affected Systems

Products:

Paid Membership Subscriptions WordPress plugin

Versions: All versions up to and including 2.13.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Membership \& Content Restriction Paid Member Subscriptions by Cozmoslabs

View all CVEs affecting Membership \& Content Restriction Paid Member Subscriptions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through execution of malicious PHP code via shortcodes, leading to data theft, defacement, or backdoor installation.

🟠

Likely Case

Unauthorized access to premium content, privilege escalation, or injection of malicious scripts/ads.

🟢

If Mitigated

Limited impact if shortcode execution is restricted through security plugins or custom filters.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes all public WordPress sites with this plugin vulnerable.

🏢 Internal Only: MEDIUM - Internal WordPress sites are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request exploitation with no authentication required. Technical details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.13.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Paid Membership Subscriptions'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.13.1+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the Paid Membership Subscriptions plugin until patched

wp plugin deactivate paid-member-subscriptions

Restrict access

all

Use web application firewall to block suspicious requests to affected endpoints

🧯 If You Can't Patch

Implement strict WAF rules to block shortcode execution attempts
Disable user registration and limit site access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Paid Membership Subscriptions version

Check Version:

wp plugin get paid-member-subscriptions --field=version

Verify Fix Applied:

Confirm plugin version is 2.13.1 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress endpoints with shortcode parameters
Multiple 404 or 403 errors from unauthenticated users

Network Indicators:

HTTP requests containing [shortcode] patterns from unexpected sources
Spike in requests to /wp-admin/admin-ajax.php

SIEM Query:

source="wordpress.log" AND ("do_shortcode" OR "[shortcode]" OR "admin-ajax.php") AND status=200

📊 Metadata

CVE ID: CVE-2024-10261

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

Published: November 9, 2024

Last Updated: January 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10261, you might also want to check these: