Cross-Site Request Forgery Vulnerability in ARMember Premium Plugin for WordPress
CVE-2024-5596

6.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Vendor
CVE Published:
22 June 2024

Summary

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation.

Affected Version(s)

ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup * <= 6.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://codecanyon.net/item/armember-complete-wordpress-m...

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.