Cyber Resilience

CVE-2024-0588

Medium

Published: 09 April 2024

Published
09 April 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0932 92.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0588 is a medium-severity CSRF (CWE-352) vulnerability in Strangerstudios Paid Memberships Pro. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Paid Memberships Pro plugin for WordPress, in versions up to and including 2.12.10, contains a cross-site request forgery vulnerability stemming from missing nonce validation in the pmpro_lifter_save_streamline_option function. This flaw affects the plugin's compatibility layer with Lifter LMS and is tracked under CWE-352 with a CVSS score of 4.3.

Unauthenticated attackers can exploit the issue by crafting malicious requests that enable the streamline setting when a site administrator is tricked into performing an action such as clicking a link. Successful exploitation grants the attacker the ability to modify this specific configuration option without authentication.

Advisories from Wordfence and changesets in the WordPress plugin repository indicate that the vulnerability was addressed in version 3.0 through updates to the lifterlms.php compatibility file.

The EPSS score remains low with a current value of 0.0932 and a peak of 0.0955, and no information on active exploitation is provided in the references.

EU & UK References

Vulnerability details

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmpro_lifter_save_streamline_option() function.…

more

This makes it possible for unauthenticated attackers to enable the streamline setting with Lifter LMS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-32793 and CVE-2024-32794 appear to be a duplicate of this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

strangerstudios
paid memberships pro
≤ 3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References