WordPress Plugin Vulnerabilities

ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API

Description

The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content.

Affects Plugins

Plugin icon
armember-membership
Fixed in 4.0.25

References

CVE
CVE-2024-0969
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ea4e6718-4e1e-44ce-8463-860f0d3d80f5

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
7088304e-9d2b-4e9f-bc9c-9878d09cb643

Timeline

Publicly Published
2024-02-01 (about 2 years ago)
Added
2024-02-02 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2026-02-25
Title
User Registration & Membership < 5.1.3 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
Published
2025-03-06
Title
VK Blocks < 1.95.0.3 - Missing Authorization to Sensitive Information Exposure
Published
2023-10-16
Title
Awesome Support < 6.1.5 - Reflected Cross-Site Scripting
Published
2021-03-23
Title
SecuPress < 2.0 - Unauthenticated Arbitrary IP Ban
Published
2024-04-18
Title
Frontend Admin by DynamiApps < 3.19.5 - Improper Missing Encryption Exception Handling to Form Manipulation