CVE-2025-11835
📋 TL;DR
This vulnerability in the Paid Membership Subscriptions WordPress plugin allows unauthenticated attackers to trigger stored auto-renew charges for arbitrary members without proper authorization. All WordPress sites using this plugin up to version 2.16.4 are affected. Attackers can exploit this to cause unauthorized financial transactions.
💻 Affected Systems
- Paid Membership Subscriptions WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers trigger multiple unauthorized auto-renew charges for all members, causing significant financial loss and potential legal/compliance issues.
Likely Case
Attackers trigger unauthorized charges for some members, resulting in financial loss, customer complaints, and potential payment processor issues.
If Mitigated
With proper monitoring and payment processor safeguards, unauthorized charges are detected and reversed before causing significant impact.
🎯 Exploit Status
The vulnerability requires no authentication and has a simple exploitation path via the AJAX endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3383182/paid-member-subscriptions
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Paid Member Subscriptions'. 4. Click 'Update Now' if available. 5. If not, download version 2.16.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allTemporarily disable the vulnerable PMS_AJAX_Checkout_Handler::process_payment() function
Add to theme's functions.php or custom plugin: add_action('init', function() { remove_action('wp_ajax_nopriv_pms_process_payment_checkout', array('PMS_AJAX_Checkout_Handler', 'process_payment')); });
Restrict access to payment endpoints
linuxUse web application firewall or .htaccess to restrict access to payment processing endpoints
# Add to .htaccess
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=pms_process_payment_checkout
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Disable the Paid Membership Subscriptions plugin entirely until patched
- Implement strict rate limiting on /wp-admin/admin-ajax.php endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Paid Member Subscriptions version 2.16.4 or lowerCheck Version:
wp plugin list --name='paid-member-subscriptions' --field=versionVerify Fix Applied:
Verify plugin version is 2.16.5 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=pms_process_payment_checkout from unauthenticated users
- Unexpected payment processing events in plugin logs
Network Indicators:
- Unusual spikes in requests to WordPress AJAX endpoints from unauthenticated sources
- Payment gateway callbacks without corresponding user actions
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=pms_process_payment_checkout*") AND user="-"