CVE-2025-68514 MEDIUM

CVE-2025-68514: WordPress Paid Member Subscriptions plugin <= 2.16.8 - Insecure Direct Object References (IDOR) vulnerability

Vendor Cozmoslabs
Product Paid Member Subscriptions
Weakness CWE-639 · IDOR
Published February 20, 2026
Last update April 29, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.

Explanation of Vulnerability in Simple Terms

02Summary

Paid Member Subscriptions versions 2.16.8 and earlier contain a denial-of-service vulnerability. An authenticated attacker with low privileges can trigger a condition that makes the site unavailable or unresponsive. The vulnerability requires network access and valid login credentials but no user interaction from the victim.

What an attacker can do

03Attacker Capabilities

Make the site unavailable or unresponsive to legitimate users.

Potential impact on your site

04Site Impact

Site downtime or performance degradation affecting all visitors until the attack stops or the plugin is patched.

Conditions required to exploit

05Prerequisites

Valid login credentials with low-level privileges; network access to the site.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 29, 2026 Record updated