CVE-2025-68514
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in Paid Member Subscriptions Plugin

Publication date: 2026-02-20

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68514
EUVD
EUVD-2025-208075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cozmoslabs paid_member_subscriptions From 2.16.0 (inc) to 2.16.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68514 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress Paid Member Subscriptions Plugin versions up to and including 2.16.8.

This vulnerability allows a malicious actor to bypass authorization and authentication mechanisms by exploiting incorrectly configured access control security levels.

As a result, an attacker with at least subscriber or developer privileges can gain unauthorized access to sensitive files, folders, or database interactions.

The issue falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information stored within the Paid Member Subscriptions plugin, such as files, folders, or database content.

An attacker exploiting this flaw could bypass normal access controls, potentially compromising user data or subscription information.

Although the CVSS severity score is moderate (6.5), the risk is considered low priority due to no impactful threat reported so far.

However, if exploited, it could undermine the security and privacy of your membership data.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is an Insecure Direct Object References (IDOR) issue in the WordPress Paid Member Subscriptions Plugin up to version 2.16.8, allowing authorization bypass.

Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized access attempts to sensitive files or database interactions that should be restricted.

Since exploitation requires at least subscriber or developer privileges, monitoring user roles and access patterns for suspicious activity can help detect exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the WordPress Paid Member Subscriptions Plugin to version 2.16.9 or later, where this vulnerability has been patched.

Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are addressed promptly.

Monitoring user privileges and access control configurations to prevent unauthorized privilege escalation is also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart