CVE-2024-0624 in Paid Memberships Pro Plugin
Summary
by MITRE • 01/25/2024
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0624 affects the Paid Memberships Pro plugin for WordPress, a widely used solution for managing membership sites with content restriction and subscription management capabilities. This plugin serves thousands of websites by providing functionality to control user access to premium content and manage subscription levels. The vulnerability resides in the plugin's handling of level order updates, specifically within the pmpro_update_level_order() function. The issue represents a critical security flaw that undermines the integrity of the plugin's administrative operations and potentially compromises the entire membership system's configuration.
The technical root cause of this vulnerability stems from the absence of proper nonce validation within the pmpro_update_level_order() function. Nonces, or number used once, serve as critical security tokens that verify the authenticity of administrative actions in WordPress plugins and themes. Without proper nonce verification, an attacker can forge requests that appear to originate from legitimate administrative sessions. This weakness allows unauthenticated attackers to manipulate the order of membership levels through carefully crafted cross-site request forgery attacks. The vulnerability specifically targets the administrative functionality that controls how membership levels are displayed and ordered within the plugin's interface, potentially leading to confusion and manipulation of user access policies.
The operational impact of this CSRF vulnerability extends beyond simple configuration changes and could enable attackers to disrupt membership services or potentially gain unauthorized access to premium content. When an administrator clicks on a malicious link or visits a compromised website, the forged request could silently reorder membership levels, potentially affecting the visibility and accessibility of different subscription tiers. This manipulation might lead to situations where higher-tier memberships become less prominent or where free access levels are incorrectly positioned, thereby undermining the intended membership structure. The vulnerability is particularly dangerous because it requires minimal user interaction from the administrator, making it difficult to detect and prevent through simple user awareness measures.
Security researchers have classified this vulnerability under CWE-352, which specifically addresses Cross-Site Request Forgery issues in software applications. The ATT&CK framework categorizes this as a privilege escalation technique, where an attacker leverages a legitimate administrative session to perform unauthorized actions. The vulnerability demonstrates how seemingly minor implementation flaws in administrative functions can create significant security risks, especially when targeting widely used plugins. Organizations using the affected plugin versions should immediately implement mitigations including updating to the patched version, implementing additional security measures such as two-factor authentication, and monitoring for suspicious administrative activities. The affected versions include all releases up to and including 2.12.7, making it essential for users to verify their plugin installations and apply the necessary security updates to prevent potential exploitation.