WordPress Plugin Vulnerabilities

WP-Members Membership < 3.4.8 - Subscriber+ Unauthorized Plugin Settings Update

Description

The plugin does not correctly implement capability checks on the do_field_reorder function, allowing authenticated users with only subscriber-level access to reorder form elements on login forms.

Affects Plugins

Plugin icon
wp-members
Fixed in 3.4.8

References

CVE
CVE-2023-2869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf05a79a-0375-4c9d-bbf0-a87484327b87

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
bf57f5ee-65bf-4aa0-9fc7-0a7426fc4014

Timeline

Publicly Published
2023-06-08 (about 2 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2024-05-17
Title
Tagembed < 5.9 - Missing Authorization
Published
2024-12-11
Title
PostBox < 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Log Export
Published
2023-08-23
Title
Elements kit Elementor addons < 2.9.2 - Missing Authorization
Published
2022-11-21
Title
Betheme < 26.6.3 - Subscriber+ Unauthorised Action
Published
2025-05-16
Title
EventON - WordPress Virtual Event Calendar Plugin < 4.9.7 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting