CVE-2024-32793: Paid Memberships Pro CSRF Vulnerability

CVE-2024-32793 Overview

CVE-2024-32793 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the Paid Memberships Pro WordPress plugin developed by Stranger Studios. The flaw affects all plugin versions up to and including 2.12.10. An attacker can craft a malicious web page that triggers authenticated administrative actions when an authorized user visits it. The vulnerability carries a CVSS 3.1 score of 8.8 and requires user interaction over the network. Successful exploitation impacts confidentiality, integrity, and availability of the WordPress site running the plugin.

Critical Impact
An attacker can trick an authenticated administrator into executing privileged plugin actions, leading to membership data tampering and potential site compromise.

Affected Products

Paid Memberships Pro plugin for WordPress, versions n/a through 2.12.10
WordPress sites with Stranger Studios paid_memberships_pro installed and active
All deployments where administrators interact with untrusted external content

Discovery Timeline

2024-04-24 - CVE-2024-32793 published to NVD
2026-04-28 - Last updated in NVD database

Technical Details for CVE-2024-32793

Vulnerability Analysis

The Paid Memberships Pro plugin fails to properly validate request origin for state-changing operations. Sensitive endpoints accept HTTP requests without verifying a WordPress nonce or equivalent anti-CSRF token. An attacker hosts a crafted page or embeds an image, form, or script that issues a request to the target site. When an authenticated administrator visits the attacker-controlled content, the browser submits the request with valid session cookies attached. The plugin processes the request as if the administrator initiated it.

This class of issue is tracked as CWE-352: Cross-Site Request Forgery. Exploitation requires no credentials on the attacker side, only that a privileged user be lured into triggering the request. The EPSS probability is 0.104% with a percentile of 27.931 as of the latest scoring date.

Root Cause

The plugin omits or incorrectly applies WordPress nonce verification (wp_verify_nonce / check_admin_referer) on one or more action handlers. Without server-side validation of a token bound to the user session, the application cannot distinguish requests intentionally submitted by the user from those forged by a third-party site.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker delivers a phishing link, malicious advertisement, or compromised page containing an auto-submitting form or image tag pointed at the vulnerable endpoint. The administrator's browser includes authentication cookies, and the plugin executes the action under the administrator's privileges. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-32793

Indicators of Compromise

Unexpected modifications to membership levels, pricing, or user role mappings in Paid Memberships Pro settings
Administrative POST requests to plugin endpoints with Referer headers pointing to external domains
Plugin action requests lacking valid _wpnonce parameters in web server access logs
New or altered membership records correlated with administrator browsing sessions on untrusted sites

Detection Strategies

Parse web server access logs for POST requests to /wp-admin/admin.php?page=pmpro-* endpoints originating from off-site referers
Compare WordPress audit logs against expected administrator workflows to surface anomalous state changes
Deploy a Web Application Firewall (WAF) rule that flags plugin action requests missing the _wpnonce token

Monitoring Recommendations

Enable a WordPress activity logging plugin to record administrative changes with user, timestamp, and source IP attribution
Forward web server and WordPress logs to a centralized SIEM for correlation across sessions and referers
Alert on administrator account activity occurring outside normal working hours or from unfamiliar geolocations

How to Mitigate CVE-2024-32793

Immediate Actions Required

Update Paid Memberships Pro to a version newer than 2.12.10 as soon as a fixed release is available from the vendor
Restrict WordPress administrator browsing to trusted destinations and require separate browsers or profiles for admin tasks
Force re-authentication of administrative sessions and rotate any API keys generated by the plugin
Review membership configurations and user role assignments for unauthorized changes

Patch Information

The vulnerability affects Paid Memberships Pro through version 2.12.10. Administrators should consult the Patchstack Vulnerability Report and the official plugin changelog for the patched release version and apply it through the WordPress admin updater or via WP-CLI.

Workarounds

Deploy a WAF rule that blocks POST requests to Paid Memberships Pro admin endpoints when the Referer header is missing or points off-site
Enforce SameSite=Lax or SameSite=Strict on WordPress session cookies to limit cross-origin cookie submission
Limit administrator capabilities to a minimal set of accounts and require multi-factor authentication for those accounts
Temporarily deactivate the plugin if business operations allow until the patched version is installed

bash

# Example WAF rule (ModSecurity) to block cross-origin POSTs to plugin endpoints
SecRule REQUEST_METHOD "@streq POST" \
  "chain,id:1003293,phase:2,deny,status:403,msg:'Possible CSRF against Paid Memberships Pro'"
  SecRule REQUEST_URI "@rx /wp-admin/admin\.php\?page=pmpro" \
    "chain"
    SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/" "t:none"