CVE-2024-12919 is a critical security vulnerability classified under CWE-287 (Improper Authentication) affecting all versions up to 2.13.7 of the WordPress plugin 'Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction' developed by madalinungureanu. The vulnerability stems from the pms_pb_payment_redirect_link function, which improperly uses the 'pms_payment_id' parameter supplied by the user to authenticate users without any additional identity verification. This means that if an attacker can guess or obtain a valid payment ID associated with any user who has made a purchase, they can bypass authentication controls and log in as that user. The exploit requires no privileges or user interaction and can be executed remotely over the network. The vulnerability impacts confidentiality by exposing user accounts, integrity by allowing unauthorized actions under another user's identity, and availability by potentially disrupting legitimate user access. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation and the severe consequences. Although no public exploits have been reported yet, the flaw represents a significant risk to websites relying on this plugin for membership management and payment processing. The lack of patch links suggests that a fix may not yet be available, increasing urgency for mitigation.

The impact of CVE-2024-12919 is severe for organizations using the affected WordPress plugin. Attackers can impersonate any paying user by exploiting the authentication bypass, leading to unauthorized access to sensitive user data, membership content, and potentially administrative functions if the compromised account has elevated privileges. This can result in data breaches, financial fraud, unauthorized content access or modification, and reputational damage. The vulnerability undermines trust in the membership system and may lead to regulatory compliance issues, especially where personal or payment data is involved. Since the exploit requires no authentication or user interaction, automated attacks could quickly compromise multiple accounts. Organizations relying on this plugin for recurring payments and content restriction face risks of revenue loss and customer churn. The broad scope of affected versions and the plugin’s popularity in WordPress membership sites amplify the potential global impact.

To mitigate CVE-2024-12919, organizations should immediately audit their WordPress sites for the presence of the affected plugin and version. If a patch is released, apply it without delay. Until a patch is available, implement the following specific mitigations: 1) Restrict access to the 'pms_payment_id' parameter by validating it server-side against authenticated sessions rather than trusting user input; 2) Employ Web Application Firewalls (WAFs) to detect and block suspicious requests containing payment IDs; 3) Monitor logs for unusual login patterns or repeated attempts to use payment IDs; 4) Rotate or invalidate existing payment IDs if possible to prevent reuse; 5) Limit user permissions to minimize damage if an account is compromised; 6) Consider temporarily disabling the plugin or membership features that rely on this authentication method until a fix is available; 7) Educate site administrators about the risk and encourage strong password policies and multi-factor authentication for administrative accounts to reduce overall risk. Regular backups and incident response plans should be updated to handle potential breaches stemming from this vulnerability.