CVE-2024-0588
Published: 09 April 2024
Summary
CVE-2024-0588 is a medium-severity CSRF (CWE-352) vulnerability in Strangerstudios Paid Memberships Pro. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Paid Memberships Pro plugin for WordPress, in versions up to and including 2.12.10, contains a cross-site request forgery vulnerability stemming from missing nonce validation in the pmpro_lifter_save_streamline_option function. This flaw affects the plugin's compatibility layer with Lifter LMS and is tracked under CWE-352 with a CVSS score of 4.3.
Unauthenticated attackers can exploit the issue by crafting malicious requests that enable the streamline setting when a site administrator is tricked into performing an action such as clicking a link. Successful exploitation grants the attacker the ability to modify this specific configuration option without authentication.
Advisories from Wordfence and changesets in the WordPress plugin repository indicate that the vulnerability was addressed in version 3.0 through updates to the lifterlms.php compatibility file.
The EPSS score remains low with a current value of 0.0932 and a peak of 0.0955, and no information on active exploitation is provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16381
Vulnerability details
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmpro_lifter_save_streamline_option() function.…
more
This makes it possible for unauthenticated attackers to enable the streamline setting with Lifter LMS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-32793 and CVE-2024-32794 appear to be a duplicate of this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.