CVE-2023-6855: 
WordPress vulnerability analysis and mitigation

The Paid Memberships Pro WordPress plugin (versions up to 2.12.5) contains a vulnerability (CVE-2023-6855) that allows unauthorized modification of membership levels due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function. This vulnerability was disclosed in January 2024 and affects all versions of the plugin up to and including version 2.12.5 (NVD).

The vulnerability stems from a missing authorization check in the plugin's REST API implementation, specifically in the pmpro_rest_api_get_permissions_check function. The flaw has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to modify membership levels, including the ability to change pricing information. This could potentially lead to unauthorized access to premium content or financial losses for site owners (NVD).

Site administrators should update their Paid Memberships Pro plugin to a version newer than 2.12.5 to address this vulnerability. The issue has been fixed in subsequent releases through improved capability checks in the REST API implementation (NVD).