Description
Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.
Published: 2026-06-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated CSRF flaw that allows an attacker to trick a site visitor into performing administrative actions—specifically, adding a new membership member—through the Paid Memberships Pro - Add Member From Admin plugin. This weakness aligns with CWE‑352 and carries a CVSS score of 8.8, indicating a high severity impact on confidentiality, integrity, and availability. An attacker who succeeds can expand user privileges, create rogue accounts, or otherwise manipulate membership data without user authentication.

Affected Systems

WordPress sites that have the Stranger Studios Paid Memberships Pro - Add Member From Admin plugin at versions 0.7.2 or earlier are affected. Users of these older plugin releases should review their version numbers and upgrade accordingly.

Risk and Exploitability

With no EPSS data available, the exact likelihood of exploitation remains uncertain, but the high CVSS score and known CSRF nature suggest the risk is non-trivial. The vulnerability is not listed in the CISA KEV catalog, indicating no documented large-scale exploitation yet. The attack vector is inferred to be a user visiting a crafted link or page that submits a request—given the unauthenticated nature of the flaw—so any web user could be a target.

Generated by OpenCVE AI on June 26, 2026 at 17:37 UTC.

Remediation

Vendor Solution

Update the WordPress Paid Memberships Pro - Add Member From Admin Plugin to the latest available version (at least 0.7.3).

OpenCVE Recommended Actions

  • Upgrade the Paid Memberships Pro - Add Member From Admin plugin to version 0.7.3 or newer.
  • Configure the plugin or WordPress roles so that only administrators can access the "Add Member" feature, eliminating the possibility of unauthenticated use.
  • Enable WordPress nonce checks or employ a security plugin that enforces CSRF protection on all administrative actions.

Generated by OpenCVE AI on June 26, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.
Title WordPress Paid Memberships Pro - Add Member From Admin plugin <= 0.7.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:37:05.157Z

Reserved: 2026-06-25T08:03:29.941Z

Link: CVE-2026-57659

cve-icon Vulnrichment

Updated: 2026-06-26T15:36:58.559Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)