CVE-2026-57659
Deferred Deferred - Pending Action

Unauthenticated CSRF in Paid Memberships Pro Add Member

Vulnerability report for CVE-2026-57659, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
paid_memberships_pro add_member_from_admin to 0.7.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is a Cross Site Request Forgery (CSRF) in the WordPress plugin "Paid Memberships Pro - Add Member From Admin" version 0.7.2 or earlier.

It allows attackers to trick higher privileged users into executing unwanted actions while they are authenticated, by making them interact with a malicious link.

This vulnerability requires user interaction but can lead to serious consequences due to the high privileges involved.

Detection Guidance

This vulnerability affects the WordPress plugin "Paid Memberships Pro - Add Member From Admin" version 0.7.2 or earlier. Detection involves verifying the plugin version installed on your WordPress site.

To detect if your system is vulnerable, check the plugin version by accessing your WordPress admin dashboard or by using command line tools to inspect the plugin files.

  • Use WP-CLI to check the plugin version: wp plugin list --status=active
  • Manually inspect the plugin version in the plugin's main PHP file, typically located at wp-content/plugins/pmpro-add-member-admin/, by looking for the version header.

Since this is a CSRF vulnerability, network detection is challenging because it requires user interaction and exploits authenticated sessions. Monitoring for suspicious POST requests to the plugin's endpoints with unusual parameters might help, but no specific detection commands are provided.

The recommended mitigation is to update the plugin to version 0.7.3 or later.

Impact Analysis

This vulnerability can have a high impact as it allows attackers to perform actions with the privileges of an authenticated user without their consent.

The CVSS score of 8.8 indicates a high risk, with potential impacts on confidentiality, integrity, and availability.

  • Confidentiality (C): High - attackers may access sensitive data.
  • Integrity (I): High - attackers can modify data or settings.
  • Availability (A): High - attackers can disrupt service or functionality.

Immediate updating to version 0.7.3 or later is recommended to mitigate these risks.

Compliance Impact

The provided information does not specify how the Cross Site Request Forgery (CSRF) vulnerability in the Paid Memberships Pro - Add Member From Admin plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress plugin "Paid Memberships Pro - Add Member From Admin" to version 0.7.3 or later.

Enabling auto-updates for vulnerable plugins can also help ensure that the plugin remains up to date and protected against this CSRF vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart