WordPress Plugin Vulnerabilities

Member Hero <= 1.0.9 - Unauthenticated RCE

Description

The plugin lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php?action=memberhero_send_form&_memberhero_hook=phpinfo

Affects Plugins

Plugin icon
member-hero
No known fix

References

CVE
CVE-2022-0885

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.0 (critical)

Miscellaneous

Original Researcher
Harald Eilertsen
Submitter
Harald Eilertsen
Submitter website
https://jetpack.com
Verified
Yes
WPVDB ID
8b08b72e-5584-4f25-ab73-5ab0f47412df

Timeline

Publicly Published
2022-05-18 (about 2 years ago)
Added
2022-05-18 (about 2 years ago)
Last Updated
2023-02-08 (about 1 years ago)

Other

Published
Title
Published
2023-08-28
Title
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Published
2014-08-01
Title
WPLocalPlaces - File Upload Remote Code Execution
Published
2019-02-19
Title
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Published
2018-08-26
Title
Plainview Activity Monitor < 20180826 - Remote Command Execution (RCE)
Published
2024-05-09
Title
Orders Tracking for WooCommerce < 1.2.11 - Unauthenticated Arbitrary Shortcode Execution