CVE-2024-1279 – Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure

https://notcve.org/view.php?id=CVE-2024-1279

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata. El complemento Paid Memberships Pro de WordPress anterior a 2.12.9 no impide que el usuario con al menos el rol de colaborador filtre metadatos confidenciales de otros usuarios. The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.12.8. This makes it possible for authenticated attackers, with contributor-level access and above, to extract user meta data utilizing the pmpro_member shortcode. • https://wpscan.com/vulnerability/4c537264-0c23-428e-9a11-7a9e74fb6b69 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •