CVE-2025-11835 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction' developed by cozmoslabs. The issue exists in the PMS_AJAX_Checkout_Handler::process_payment() function, which lacks proper capability and validation checks. This flaw allows unauthenticated attackers to invoke the function and trigger stored auto-renew charges on behalf of arbitrary members without authorization. The vulnerability affects all plugin versions up to and including 2.16.4. Because the process_payment function handles critical payment operations, unauthorized triggering can lead to manipulation of billing processes, potentially charging members without their consent or causing financial discrepancies. The CVSS v3.1 score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability's presence in a widely used WordPress plugin poses a significant risk to sites relying on it for membership and payment management.

For European organizations, this vulnerability can lead to unauthorized financial transactions, causing direct monetary loss and undermining customer trust. Membership-based businesses, subscription services, and content providers using this plugin may experience fraudulent charges or billing errors, resulting in customer complaints, chargebacks, and reputational damage. The integrity of payment data is compromised, which could also lead to regulatory scrutiny under GDPR if customer financial data is mishandled or if unauthorized transactions occur. Additionally, organizations may face operational disruptions as they investigate and remediate the issue. The lack of authentication requirement increases the risk of automated exploitation attempts from remote attackers, potentially affecting a large number of sites. The vulnerability does not impact confidentiality or availability directly but can indirectly affect business continuity and customer relations.

Organizations should monitor for plugin updates from cozmoslabs and apply patches immediately once available. Until a patch is released, administrators should restrict access to the payment processing AJAX endpoints via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. Implementing additional logging and anomaly detection on payment transactions can help identify unauthorized charges early. Consider temporarily disabling auto-renewal features or switching to alternative membership management plugins with verified security. Regularly audit membership and payment records for irregularities. Educate site administrators on the risks and ensure WordPress core and all plugins are kept up to date. Employ security plugins that can detect and block unauthorized AJAX calls. Finally, review and tighten user roles and capabilities within WordPress to minimize exposure.