Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup by Unknown

    CVE-2022-1903 (GCVE-0-2022-1903)

    Vulnerability from nvd – Published: 2022-06-27 08:58 – Updated: 2024-08-03 00:17
    VLAI
    Title
    ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
    Summary
    The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Credits
    cydave
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:17:00.971Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ARMember \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.4.8",
                  "status": "affected",
                  "version": "3.4.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "cydave"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T08:58:19.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ARMember \u003c 3.4.8 - Unauthenticated Admin Account Takeover",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1903",
              "STATE": "PUBLIC",
              "TITLE": "ARMember \u003c 3.4.8 - Unauthenticated Admin Account Takeover"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ARMember \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.8",
                                "version_value": "3.4.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "cydave"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1903",
        "datePublished": "2022-06-27T08:58:19.000Z",
        "dateReserved": "2022-05-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:17:00.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-1903 (GCVE-0-2022-1903)

    Vulnerability from cvelistv5 – Published: 2022-06-27 08:58 – Updated: 2024-08-03 00:17
    VLAI
    Title
    ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
    Summary
    The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Credits
    cydave
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:17:00.971Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ARMember \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.4.8",
                  "status": "affected",
                  "version": "3.4.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "cydave"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T08:58:19.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ARMember \u003c 3.4.8 - Unauthenticated Admin Account Takeover",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1903",
              "STATE": "PUBLIC",
              "TITLE": "ARMember \u003c 3.4.8 - Unauthenticated Admin Account Takeover"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ARMember \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.8",
                                "version_value": "3.4.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "cydave"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1903",
        "datePublished": "2022-06-27T08:58:19.000Z",
        "dateReserved": "2022-05-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:17:00.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }