WordPress Plugin Vulnerabilities

Indeed Membership Pro < 12.8 - Unauthenticated Privilege Escalation

Description

The plugin is vulnerable to privilege escalation due to the plugin not properly restricting access to functionality that allows privilege assignment. This makes it possible for unauthenticated attackers to gain access to accounts that have higher privileges, such as administrator.

Affects Plugins

Plugin icon
indeed-membership-pro
Fixed in 12.8

References

CVE
CVE-2024-43240
URL
https://patchstack.com/database/vulnerability/indeed-membership-pro/wordpress-indeed-ultimate-membership-pro-plugin-12-6-unauthenticated-privilege-escalation-vulnerability

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
a0c1c069-d186-4f3f-b600-c1d49b356f20

Timeline

Publicly Published
2024-08-12 (about 1 year ago)
Added
2024-08-23 (about 1 year ago)
Last Updated
2024-09-25 (about 1 year ago)

Other

Published
Title
Published
2025-10-17
Title
Sale! Immigration law, Visa services support, Migration Agent Consulting <= 1.5.8 - Authenticated (Subscriber+) Privilege Escalation
Published
2023-08-21
Title
MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
Published
2020-02-17
Title
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
Published
2025-08-25
Title
Dokan Pro < 4.0.6 - Authenticated (Vendor+) Privilege Escalation
Published
2024-07-01
Title
Ultimate Addons for Elementor < 1.36.32 - Authenticated (Contributor+) Privilege Escalation