CVE-2026-39514: WordPress Paid Member Subscriptions plugin <= 2.17.3 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Reflected Cross-Site Scripting (XSS) in the Cozmoslabs Paid Member Subscriptions WordPress plugin affects all versions up to and including 2.17.3. The vulnerability is reachable over the network with no authentication required, but does need a victim to follow or load a specially crafted link. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser session, enabling session theft, credential harvesting, and limited content tampering. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-39514 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication including custom-built WordPress images carrying the Paid Member Subscriptions plugin. Coverage extends to images in connected registries and active CI/CD pipelines.
AvailableTriage is available using the CVSS v3.1 score of 7.1 (HIGH), weighted against each customer org's compliance policy to determine breach-of-threshold status and urgency routing. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation and web application firewall rules can be applied to reduce exposure.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network and deliver a crafted URL or request to the target.
- AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party.
- Victim interactionRequired
A victim must click a malicious link or load a crafted page for the injected script to execute in their browser.
- Attack complexityDetail
The exploit is reliable and requires no special conditions, race timing, or environmental configuration to succeed.
Blast Radius
- Reads session cookies or authentication tokens from the victim's browser, enabling session hijacking.
- Harvests credentials or sensitive form input by injecting keyloggers or fake login prompts into the page.
- Modifies visible page content in the victim's browser to facilitate phishing or social-engineering follow-on attacks.
- Triggers limited availability disruption by redirecting the victim away from legitimate site functionality.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-39514, HarborGuard continuously monitors the advisory across ingest cycles and will surface a patched-image rebuild automatically once Cozmoslabs publishes a remediated version of Paid Member Subscriptions. In the meantime, customers can use HarborGuard policy controls to flag any image carrying plugin versions at or below 2.17.3 and block promotion of those images to production. Recommended compensating controls include enforcing a web application firewall rule to strip or encode reflected query parameters on affected endpoints, applying network-policy isolation to limit which clients can reach the WordPress admin surface, and reviewing Content-Security-Policy headers on the WordPress installation to restrict inline script execution. When the upstream patch is released, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.
- Cozmoslabs / Paid Member Subscriptions≤ 2.17.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L