Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Stored XSS.This issue affects Paid Member Subscriptions: from n/a through <= 2.14.3.
Published: 2025-03-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improperly sanitized input field in Cozmoslabs Paid Member Subscriptions causes stored XSS, allowing attackers to inject JavaScript that the plugin will render on subsequent page loads. The vulnerability enables the execution of arbitrary code in the context of any user who views the affected content, potentially facilitating cookie theft, session hijacking, defacement, or the execution of further malicious payloads. The weakness is categorized as CWE‑79, reflecting a classic reflected or stored XSS flaw.

Affected Systems

WordPress installations that use the Paid Member Subscriptions plugin version 2.14.3 or earlier are vulnerable. Any site where administrators or other privileged users have written content through this plugin is at risk until the plugin is updated.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while an EPSS score of less than 1% suggests a very low probability of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reinforcing the low exploit likelihood. Exploitation would generally require an attacker to create or modify content within the plugin, so compromised or malicious accounts and user interaction are prerequisites. No known public exploit or active abuse has been reported as of the analysis.

Generated by OpenCVE AI on May 1, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Paid Member Subscriptions to a version newer than 2.14.3
  • Disable or remove the plugin until the update is applied to prevent further exploitation
  • Configure the plugin or site content editor to sanitize or strip disallowed HTML tags and attributes to mitigate XSS from remaining content
  • Monitor for unusual frontend activity or error logs that indicate attempted XSS

Generated by OpenCVE AI on May 1, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8569 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions allows Stored XSS. This issue affects Paid Member Subscriptions: from n/a through 2.14.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions allows Stored XSS. This issue affects Paid Member Subscriptions: from n/a through 2.14.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Stored XSS.This issue affects Paid Member Subscriptions: from n/a through <= 2.14.3.
Title WordPress Paid Member Subscriptions <= 2.14.3 - Cross Site Scripting (XSS) Vulnerability WordPress Paid Member Subscriptions plugin <= 2.14.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions allows Stored XSS. This issue affects Paid Member Subscriptions: from n/a through 2.14.3.
Title WordPress Paid Member Subscriptions <= 2.14.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Cozmoslabs Paid Member Subscriptions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:57:30.153Z

Reserved: 2025-03-26T09:26:11.885Z

Link: CVE-2025-31088

cve-icon Vulnrichment

Updated: 2025-03-28T14:18:14.628Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T10:15:17.297

Modified: 2026-04-23T15:27:41.013

Link: CVE-2025-31088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:45:15Z

Weaknesses