CVE-2024-37277: 
WordPress vulnerability analysis and mitigation

The Paid Memberships Pro WordPress plugin contains an Authorization Bypass Through User-Controlled Key vulnerability (CVE-2024-37277) that affects versions up to 3.0.4. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on June 28, 2024. This security issue impacts the Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin, which is widely used for managing membership content and subscriptions in WordPress websites (Patchstack, WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue, specifically in the pmpro_twocheckoutValidate function, due to missing validation on a user-controlled key. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as CRITICAL with a base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack assigns it a HIGH severity with a score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows unauthenticated attackers to bypass authorization and authentication mechanisms, potentially enabling them to update order statuses to paid without proper authorization. This security flaw could lead to unauthorized access to functionality that should be properly constrained by Access Control Lists (ACLs) (WPScan).

The vulnerability has been fixed in version 3.0.5 of the Paid Memberships Pro plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).