The vulnerability CVE-2025-11835 affects the WordPress plugin 'Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction' developed by cozmoslabs. The issue is classified under CWE-862 (Missing Authorization) and is due to the absence of proper capability and validation checks in the PMS_AJAX_Checkout_Handler::process_payment() function. This function handles payment processing for membership auto-renewals. Because the authorization checks are missing, unauthenticated attackers can invoke this function to trigger stored auto-renew charges on behalf of arbitrary members without their consent. The vulnerability exists in all plugin versions up to and including 2.16.4. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. The scope remains unchanged (S:U). No patches were linked at the time of publication, and no known exploits have been reported in the wild. This vulnerability could lead to unauthorized financial transactions, undermining trust in the membership platform and potentially causing financial losses for users and organizations. The plugin is widely used for managing memberships, recurring payments, and content restriction on WordPress sites, making the vulnerability relevant to many online businesses and communities.

The primary impact of this vulnerability is the unauthorized triggering of auto-renew charges on members’ accounts, which compromises the integrity of financial transactions within the membership system. Organizations relying on this plugin for subscription management may face financial losses, customer dissatisfaction, and reputational damage if attackers exploit this flaw to charge members without authorization. Although confidentiality and availability are not directly affected, the unauthorized charges can lead to disputes, chargebacks, and potential legal consequences. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability particularly concerning for websites with large membership bases. Attackers could automate the exploitation to target multiple accounts rapidly. This risk is amplified for organizations in sectors such as e-commerce, digital content, education, and any subscription-based services using this plugin. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability’s characteristics make it a likely target for future attacks once widely known.

1. Monitor for plugin updates from cozmoslabs and apply patches immediately once available to address the missing authorization checks. 2. Until a patch is released, restrict access to the affected AJAX endpoint by implementing web application firewall (WAF) rules that block or rate-limit suspicious requests targeting the process_payment function. 3. Employ strict server-side validation and logging to detect and alert on unusual payment processing activities, such as multiple rapid auto-renew triggers from the same IP or user agent. 4. Review and tighten WordPress user roles and capabilities to minimize exposure of payment processing functions. 5. Consider temporarily disabling auto-renewal features or switching to alternative membership plugins with robust security if patching is delayed. 6. Educate members about monitoring their payment statements and reporting unauthorized charges promptly. 7. Conduct regular security audits and penetration tests focusing on membership and payment workflows to identify similar authorization weaknesses.