CVE-2022-0885

Published: Jun 13, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.

Affected (1)

Products: Memberhero: Member Hero

Memberhero

1 product

Member Hero

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Memberhero Member Hero	Up to 1.0.9

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.