CVE-2024-32794: Paid Memberships Pro CSRF Vulnerability

CVE-2024-32794 Overview

CVE-2024-32794 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the Paid Memberships Pro plugin for WordPress. The flaw impacts all versions of the plugin from initial release through 2.12.10. An attacker can craft a malicious web page that, when visited by an authenticated user, triggers unintended state-changing actions in the plugin. The vulnerability requires user interaction but no privileges, and successful exploitation can compromise confidentiality, integrity, and availability of the affected WordPress site.

Critical Impact
A remote attacker can trick an authenticated administrator into executing unauthorized plugin actions, potentially leading to full site compromise through forged requests.

Affected Products

Paid Memberships Pro plugin for WordPress, versions through 2.12.10
WordPress sites running strangerstudios/paid_memberships_pro
All deployments where authenticated administrators interact with untrusted content

Discovery Timeline

2024-04-24 - CVE-2024-32794 published to the National Vulnerability Database (NVD)
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-32794

Vulnerability Analysis

The vulnerability stems from missing or inadequate anti-CSRF token validation in state-changing request handlers within Paid Memberships Pro. WordPress provides nonce mechanisms (wp_nonce_field, check_admin_referer, wp_verify_nonce) to defend against CSRF, but the affected endpoints fail to enforce these checks correctly. As a result, the plugin processes requests without confirming that they originated from an intentional user action within the WordPress admin context.

An attacker exploits this by hosting a malicious page containing crafted HTML forms or JavaScript that issues authenticated requests to the target site. When a logged-in administrator visits the attacker-controlled page, the browser automatically attaches valid session cookies. The plugin processes the forged request as if it were legitimate, executing changes attributable to the victim's session.

Root Cause

The root cause is improper enforcement of request authenticity in plugin handlers. Specifically, sensitive operations either omit nonce verification or rely on predictable parameters that an external site can replicate. This maps to CWE-352, Cross-Site Request Forgery.

Attack Vector

The attack vector is network-based and requires user interaction. The attacker delivers a phishing link or embeds a malicious payload in a third-party site. Once the authenticated administrator browses to it, the forged request executes against the vulnerable plugin endpoint. No authentication bypass or credential theft is required because the browser supplies the active session automatically.

The vulnerability is described in prose because no public proof-of-concept code is available in the verified sources. Refer to the Patchstack CSRF Vulnerability Advisory for additional technical context.

Detection Methods for CVE-2024-32794

Indicators of Compromise

Unexpected configuration changes within Paid Memberships Pro settings made outside normal admin workflows
HTTP POST requests to plugin endpoints with Referer headers pointing to external untrusted domains
Administrator account activity originating from sessions immediately after visiting unfamiliar links
New or modified membership levels, discount codes, or user roles without corresponding audit entries

Detection Strategies

Review WordPress audit logs for plugin actions lacking valid nonce parameters in associated requests
Correlate web server access logs with administrator browsing history to identify cross-origin POST patterns
Inspect outbound proxy logs for redirects to attacker-controlled domains preceding plugin state changes
Deploy file integrity monitoring on the wp-content/plugins/paid-memberships-pro/ directory and database tables managed by the plugin

Monitoring Recommendations

Enable verbose logging for WordPress admin actions and forward events to a centralized SIEM for analysis
Alert on HTTP requests to /wp-admin/admin.php?page=pmpro-* with mismatched Origin or Referer headers
Track administrator session activity patterns and flag rapid state changes following external navigation events

How to Mitigate CVE-2024-32794

Immediate Actions Required

Update Paid Memberships Pro to a version newer than 2.12.10 as soon as the vendor patch is available
Audit recent administrator activity for unauthorized configuration changes since the disclosure date
Enforce least-privilege role assignments and limit the number of accounts with administrator capabilities
Require administrators to log out of WordPress before browsing unrelated sites

Patch Information

Review the Patchstack CSRF Vulnerability Advisory for the latest fixed version of the Paid Memberships Pro plugin. Apply the upgrade through the WordPress plugin manager or via WP-CLI, then verify the installed version exceeds 2.12.10.

Workarounds

Deploy a Web Application Firewall (WAF) rule that blocks cross-origin POST requests to Paid Memberships Pro admin endpoints
Restrict access to /wp-admin/ by IP allowlist where operationally feasible
Implement strict SameSite=Strict cookie attributes for WordPress authentication cookies to prevent automatic cookie transmission on cross-site requests
Use browser isolation or dedicated administrator workstations for WordPress management tasks

bash

# Configuration example - update plugin via WP-CLI
wp plugin update paid-memberships-pro
wp plugin get paid-memberships-pro --field=version