CVE-2026-39514

Vulnerability

A reflected Cross Site Scripting (XSS) vulnerability exists in the Paid Member Subscriptions plugin for WordPress, affecting versions up to and including 2.17.3 [1]. The vulnerability does not require authentication, but successful exploitation requires a privileged user to perform an action, such as clicking a crafted malicious link or visiting a specially crafted page [1].

Exploitation

An attacker can craft a malicious URL containing the XSS payload and deliver it to a logged-in administrator or another privileged user. The user must click the link or interact with the malicious page. No prior authentication or network position beyond standard HTTP access is needed, but user interaction of a privileged user is required [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) into the affected site. These scripts execute when other visitors access the site, potentially leading to information disclosure, session hijacking, or defacement [1]. The impact is limited to the browser context of users visiting the site, but the attacker does not gain direct code execution on the server.

Mitigation

The vulnerability is fixed in version 3.0.0 of the plugin [1]. Users must update to version 3.0.0 or later. If unable to update, implementing a mitigation rule via Patchstack is available [1]. No other workarounds are mentioned in the reference.