Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Indeed Membership Pro by wpindeed

    CVE-2020-36833 (GCVE-0-2020-36833)

    Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2024-10-16 19:33
    VLAI
    Title
    Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks
    Summary
    The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpindeed Indeed Membership Pro Affected: 7.3 , ≤ 8.6 (semver)
    Create a notification for this product.
    Credits
    Norman Riffat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T19:33:03.643092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T19:33:16.544Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Indeed Membership Pro",
              "vendor": "wpindeed",
              "versions": [
                {
                  "lessThanOrEqual": "8.6",
                  "status": "affected",
                  "version": "7.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Norman Riffat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T06:43:40.797Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab1cc1ef-d0e0-491d-91a8-eaa0605fc1da?source=cve"
            },
            {
              "url": "https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2020-02-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2020-36833",
        "datePublished": "2024-10-16T06:43:40.797Z",
        "dateReserved": "2024-10-15T18:10:13.105Z",
        "dateUpdated": "2024-10-16T19:33:16.544Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36832 (GCVE-0-2020-36832)

    Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2024-10-16 18:03
    VLAI
    Title
    Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass
    Summary
    The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user ID.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    wpindeed Indeed Membership Pro Affected: 7.3 , < 8.6.1 (semver)
    Create a notification for this product.
    wpindeed ultimate_membership_pro Affected: 7.3 , < 8.6.1 (semver)
        cpe:2.3:a:wpindeed:ultimate_membership_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Noman Riffat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpindeed:ultimate_membership_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ultimate_membership_pro",
                "vendor": "wpindeed",
                "versions": [
                  {
                    "lessThan": "8.6.1",
                    "status": "affected",
                    "version": "7.3",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:34:59.506897Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:03:20.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Indeed Membership Pro",
              "vendor": "wpindeed",
              "versions": [
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "7.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noman Riffat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user ID."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T06:43:38.406Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5341bbd-55bd-41ad-b5d1-d6b56c141277?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253"
            },
            {
              "url": "https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2020-02-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2020-36832",
        "datePublished": "2024-10-16T06:43:38.406Z",
        "dateReserved": "2024-10-15T18:07:00.693Z",
        "dateUpdated": "2024-10-16T18:03:20.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36833 (GCVE-0-2020-36833)

    Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2024-10-16 19:33
    VLAI
    Title
    Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks
    Summary
    The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpindeed Indeed Membership Pro Affected: 7.3 , ≤ 8.6 (semver)
    Create a notification for this product.
    Credits
    Norman Riffat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T19:33:03.643092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T19:33:16.544Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Indeed Membership Pro",
              "vendor": "wpindeed",
              "versions": [
                {
                  "lessThanOrEqual": "8.6",
                  "status": "affected",
                  "version": "7.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Norman Riffat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T06:43:40.797Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab1cc1ef-d0e0-491d-91a8-eaa0605fc1da?source=cve"
            },
            {
              "url": "https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2020-02-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2020-36833",
        "datePublished": "2024-10-16T06:43:40.797Z",
        "dateReserved": "2024-10-15T18:10:13.105Z",
        "dateUpdated": "2024-10-16T19:33:16.544Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36832 (GCVE-0-2020-36832)

    Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2024-10-16 18:03
    VLAI
    Title
    Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass
    Summary
    The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user ID.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    wpindeed Indeed Membership Pro Affected: 7.3 , < 8.6.1 (semver)
    Create a notification for this product.
    wpindeed ultimate_membership_pro Affected: 7.3 , < 8.6.1 (semver)
        cpe:2.3:a:wpindeed:ultimate_membership_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Noman Riffat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpindeed:ultimate_membership_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ultimate_membership_pro",
                "vendor": "wpindeed",
                "versions": [
                  {
                    "lessThan": "8.6.1",
                    "status": "affected",
                    "version": "7.3",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:34:59.506897Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:03:20.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Indeed Membership Pro",
              "vendor": "wpindeed",
              "versions": [
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "7.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noman Riffat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user ID."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T06:43:38.406Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5341bbd-55bd-41ad-b5d1-d6b56c141277?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253"
            },
            {
              "url": "https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2020-02-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2020-36832",
        "datePublished": "2024-10-16T06:43:38.406Z",
        "dateReserved": "2024-10-15T18:07:00.693Z",
        "dateUpdated": "2024-10-16T18:03:20.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }