Unauthenticated Attackers Can Extract Sensitive Data from Restricted Posts via WordPress Core Search
CVE-2024-11008

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Members – Membership & User Role Editor Plugin
Vendor: CVE Published:; 11 December 2024

Summary

The Membership & User Role Editor Plugin for WordPress exhibits a vulnerability that permits unauthenticated attackers to exploit the WordPress core search feature. This weakness enables the extraction of sensitive information from posts that should be restricted to users with higher-level roles, such as administrators. As a consequence, the privacy and security of sensitive data may be compromised, posing significant risks to website owners and their users.

Affected Version(s)

Members – Membership & User Role Editor Plugin * <= 3.2.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3199682/members

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2024
Vulnerability Reserved
Nov 7, 2024

Credit

Francesco Carlucci