Impact
An unauthenticated Server‑Side Request Forgery (SSRF) flaw exists in Paid Member Subscriptions versions up to 3.0.4. The vulnerability allows an attacker to instruct the vulnerable WordPress installation to issue arbitrary HTTP or HTTPS requests to any target. This can enable attackers to access internal network services, exfiltrate sensitive data, or launch secondary attacks against systems reachable from the WordPress host. The weakness is identified as CWE‑918, which indicates that the application fails to properly validate or sandbox outbound network traffic.
Affected Systems
All installations of the Paid Member Subscriptions plugin from Cozmoslabs running version 3.0.4 or earlier are affected. No specific WordPress core or hosting platform versions are listed as impacted, so any WordPress site using the vulnerable plugin is at risk.
Risk and Exploitability
The vulnerability has a CVSS score of 7.2, indicating high severity. No EPSS score is reported, so current exploitation probability is unknown, but the fact that the flaw is unauthenticated and requires no additional privileges makes it potentially attractive to adversaries. The vulnerability is not listed in the CISA KEV catalog, but it remains a significant risk due to the ease of exploitation and potential internal impact.
OpenCVE Enrichment