Unauthenticated Attackers Can Bypass Authentication and Access Any User Account, Including the Site Administrator with Default ID of 1
CVE-2020-36832

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Indeed Membership Pro
Vendor: CVE Published:; 16 October 2024

What is CVE-2020-36832?

The Ultimate Membership Pro plugin for WordPress contains a vulnerability that allows unauthenticated attackers to bypass normal authentication mechanisms. This issue affects versions 7.3 through 8.6 of the plugin. By leveraging this flaw, an attacker can gain unauthorized access to any user account on a site utilizing this plugin, including accounts with administrative privileges. This presents a significant risk, as attackers could manipulate site settings or access sensitive information. Website administrators are advised to implement immediate security measures, including updating to the latest versions of the plugin and reviewing user account activity.

Affected Version(s)

Indeed Membership Pro 7.3 < 8.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/ultimate-membership-pro-wordp...

https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Noman Riffat

Wordpress

What is CVE-2020-36832?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit