CVE-2023-6855 is a vulnerability identified in the WordPress plugin "Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions" developed by strangerstudios. This plugin is widely used to manage membership levels, content restriction, user registration, and paid subscriptions on WordPress sites. The vulnerability stems from an improper implementation of an authorization check within the function pmpro_rest_api_get_permissions_check. Specifically, the capability check that should restrict access to modifying membership levels is missing or incorrectly enforced. As a result, unauthenticated attackers can exploit this flaw to modify membership levels, including altering prices, without any authentication or user interaction. The vulnerability affects all versions up to and including 2.12.5. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector showing that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to integrity, as confidentiality and availability are not directly affected. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-862 (Missing Authorization), which highlights the risk of insufficient access control allowing unauthorized actions.

For European organizations using the Paid Memberships Pro plugin on their WordPress sites, this vulnerability poses a risk to the integrity of their membership management systems. Attackers could manipulate membership levels, potentially granting unauthorized access to premium content or services without payment, or altering pricing structures to cause financial loss or reputational damage. This could lead to revenue loss, customer trust erosion, and compliance issues, especially under regulations like GDPR if personal data is indirectly affected through unauthorized membership changes. While the vulnerability does not directly compromise confidentiality or availability, the unauthorized modification of membership data can disrupt business operations and customer relationships. Organizations relying heavily on subscription-based models or membership-driven content in sectors such as media, education, or professional services in Europe should be particularly cautious. The lack of required authentication and user interaction makes exploitation easier, increasing the risk of automated or opportunistic attacks.

European organizations should immediately audit their WordPress installations to identify if the Paid Memberships Pro plugin is in use and verify the version. Until an official patch is released, it is advisable to implement temporary access restrictions on the REST API endpoints related to membership management, for example by using web application firewalls (WAFs) or custom code to enforce strict authorization checks. Monitoring and logging REST API calls for suspicious activity can help detect exploitation attempts early. Organizations should also consider disabling or restricting the plugin’s REST API functionality if it is not essential. Regular backups of membership data should be maintained to enable recovery in case of unauthorized changes. Additionally, organizations should subscribe to vendor advisories and security mailing lists to promptly apply any forthcoming patches. For sites with high security requirements, consider isolating membership management functions or migrating to alternative plugins with stronger security postures.