CVE-2024-1389 identifies a missing authorization vulnerability (CWE-862) in the WordPress plugin 'Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction' developed by iovamihai. The vulnerability exists in the function pms_stripe_connect_handle_authorization_return, which handles Stripe payment authorization returns. Due to the absence of proper capability checks, unauthenticated attackers can invoke this function to alter Stripe payment keys configured within the plugin. Since Stripe keys are critical for processing recurring payments and managing membership subscriptions, unauthorized modification can lead to redirecting payments to attacker-controlled accounts or disrupting payment flows. The vulnerability affects all plugin versions up to and including 2.11.1. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 base score is 5.3 (medium), with the vector indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, as confidentiality and availability are not directly affected. No public exploits or active exploitation have been reported to date. The vulnerability was reserved and published in February 2024, with enrichment from CISA. Given the widespread use of WordPress and the popularity of this plugin for managing paid memberships and recurring payments, this vulnerability poses a moderate risk to affected sites, especially those relying on Stripe for payment processing.

The primary impact of CVE-2024-1389 is unauthorized modification of Stripe payment keys within the affected plugin. This can lead to attackers redirecting payments to their own Stripe accounts, resulting in financial fraud and loss of revenue for organizations. Additionally, altering payment keys can disrupt legitimate payment processing, causing denial of service for subscription-based services and damaging customer trust. Although confidentiality and availability are not directly impacted, the integrity compromise can have significant financial and reputational consequences. Organizations relying on this plugin for membership and recurring payments are at risk of fraud and operational disruption. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks targeting vulnerable WordPress sites. However, the absence of known exploits in the wild suggests limited active exploitation currently. Nonetheless, the potential for financial loss and service disruption makes this a significant concern for e-commerce, membership, and subscription-based businesses worldwide.

1. Immediate update: Organizations should upgrade the Paid Membership Subscriptions plugin to a version where this vulnerability is patched once available. Monitor vendor announcements for official patches. 2. Temporary access restrictions: Until patched, restrict access to the affected function by implementing web application firewall (WAF) rules that block unauthorized requests targeting the pms_stripe_connect_handle_authorization_return endpoint or related URLs. 3. Stripe key rotation: Rotate Stripe API keys used in the plugin to invalidate any potentially compromised keys. 4. Monitor logs: Enable detailed logging and monitor for suspicious requests or changes to payment configuration parameters. 5. Principle of least privilege: Review and tighten WordPress user roles and capabilities to minimize exposure. 6. Harden WordPress security: Employ security best practices such as limiting plugin installations, disabling unused endpoints, and enforcing strong authentication for admin users. 7. Incident response readiness: Prepare to respond to potential fraud or payment disruptions by coordinating with payment processors and legal teams. 8. Backup and recovery: Maintain regular backups of WordPress configurations and databases to enable quick restoration if needed. These steps go beyond generic advice by focusing on immediate containment, key rotation, and proactive monitoring specific to this vulnerability's nature.