Description
Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.15.9.
Published: 2025-09-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability originates from a missing authorization check in the Cozmoslabs Paid Member Subscriptions plugin. The flaw permits users to exploit incorrectly configured access control security levels, enabling them to reach areas or alter data that should be restricted. The primary impact is the potential to obtain or modify subscription information and related management functions, compromising the confidentiality and integrity of subscription data.

Affected Systems

The affected product is the Paid Member Subscriptions WordPress plugin developed by Cozmoslabs. Versions from the earliest released through version 2.15.9 are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is deduced to involve standard web requests to the plugin’s administrative endpoints, taking advantage of the broken authorization logic. An attacker with access to the site can exploit the flaw by sending crafted HTTP requests that bypass normal authentication checks and access protected subscription resources.

Generated by OpenCVE AI on April 30, 2026 at 07:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Paid Member Subscriptions plugin to the latest available release (greater than 2.15.9) to receive the vendor‑supplied fix.
  • If an upgrade is not immediately possible, review and configure the plugin’s role‑based access control settings to ensure that only authorized user roles can reach subscription management pages.
  • After updating or reconfiguring, perform a thorough audit of user permissions in WordPress to confirm that no excess privileges remain in place.

Generated by OpenCVE AI on April 30, 2026 at 07:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26566 Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Member Subscriptions: from n/a through 2.15.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Member Subscriptions: from n/a through 2.15.9. Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.15.9.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cozmoslabs
Cozmoslabs paid Member Subscriptions
Wordpress
Wordpress wordpress
Vendors & Products Cozmoslabs
Cozmoslabs paid Member Subscriptions
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Member Subscriptions: from n/a through 2.15.9.
Title WordPress Paid Member Subscriptions Plugin <= 2.15.9 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Cozmoslabs Paid Member Subscriptions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:07:07.369Z

Reserved: 2025-09-03T09:02:27.116Z

Link: CVE-2025-58600

cve-icon Vulnrichment

Updated: 2025-09-03T17:38:49.587Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:41.047

Modified: 2026-04-23T15:33:26.280

Link: CVE-2025-58600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:30:31Z

Weaknesses