A critical Cross-Site Request Forgery flaw in the Paid Memberships Pro - Add Member From Admin plugin allows unauthorized modification of membership data.

This vulnerability consists of a Cross-Site Request Forgery (CSRF) flaw that permits an unauthenticated attacker to trigger unauthorized state-changing operations. The lack of proper anti-CSRF tokens in the administrative membership addition process enables attackers to execute actions on behalf of authenticated administrators.

The CVSS score of 8.8 reflects the high severity of this vulnerability, as it directly impacts administrative control over membership systems. Unauthorized membership modifications can lead to financial discrepancies, loss of customer trust, and potential regulatory non-compliance regarding user data management.

Immediate Action: Update the affected plugin to the latest version provided by the vendor to ensure proper CSRF token validation is implemented.

Proactive Monitoring: Monitor administrative audit logs for unusual membership creation or modification events that do not correlate with known administrative activity.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect and block requests that lack proper referer headers or CSRF validation tokens.

Public Exploit Available: false

Security teams must treat this vulnerability with high priority. Promptly updating the plugin is the most effective way to eliminate the risk of CSRF-based attacks and ensure the continued integrity of the membership database.