Members < 3.2.11 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure | CVE 2024-11008 | Plugin Vulnerabilities

Description

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

Affects Plugins

Fixed in 3.2.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0f6ad375-da04-4b56-8077-e26c148e7527

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

9e986028-aef0-480a-9d7a-bdaebc21e9aa

Timeline

Publicly Published

2024-12-10 (about 1 year ago)

Added

2024-12-10 (about 1 year ago)

Last Updated

2024-12-11 (about 1 year ago)

Other

Published

Title

Published

2025-09-12

Title

Multiple Plugins and Themes by inkthemes - Unauthenticated Information Exposure

Published

2025-12-05

Title

SendPulse Email Marketing Newsletter < 2.2.2 - Authenticated (Subscriber+) Information Exposure

Published

2024-03-29

Title

Essential Addons for Elementor < 5.9.14 - Unauthenticated Private/Draft Posts Access

Published

2025-12-08

Title

Custom Field Template < 2.7.7 - Authenticated (Subscriber+) Information Exposure

Published

2025-09-15

Title

Atarim < 4.2.2 - Unauthenticated Information Exposure