CVE-2025-68514
Authorization Bypass in Paid Member Subscriptions Plugin
Publication date: 2026-02-20
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cozmoslabs | paid_member_subscriptions | From 2.16.0 (inc) to 2.16.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68514 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress Paid Member Subscriptions Plugin versions up to and including 2.16.8.
This vulnerability allows a malicious actor to bypass authorization and authentication mechanisms by exploiting incorrectly configured access control security levels.
As a result, an attacker with at least subscriber or developer privileges can gain unauthorized access to sensitive files, folders, or database interactions.
The issue falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information stored within the Paid Member Subscriptions plugin, such as files, folders, or database content.
An attacker exploiting this flaw could bypass normal access controls, potentially compromising user data or subscription information.
Although the CVSS severity score is moderate (6.5), the risk is considered low priority due to no impactful threat reported so far.
However, if exploited, it could undermine the security and privacy of your membership data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an Insecure Direct Object References (IDOR) issue in the WordPress Paid Member Subscriptions Plugin up to version 2.16.8, allowing authorization bypass.
Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized access attempts to sensitive files or database interactions that should be restricted.
Since exploitation requires at least subscriber or developer privileges, monitoring user roles and access patterns for suspicious activity can help detect exploitation attempts.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress Paid Member Subscriptions Plugin to version 2.16.9 or later, where this vulnerability has been patched.
Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are addressed promptly.
Monitoring user privileges and access control configurations to prevent unauthorized privilege escalation is also recommended.