CVE-2022-1903

CVE-2022-1903: ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

Vendor Unknown

Product ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Weakness CWE-862 · Missing authorization

Published June 27, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Key dates

02Disclosure timeline

June 27, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1903 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2023-33922 WordPress Elementor plugin <= 3.13.2 - Broken Access Control vulnerability CVE-2025-2779 Insert Headers and Footers Code – HT Script <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update CVE-2024-49657 WordPress 3D Work In Progress plugin <= 1.0.3 - Arbitrary File Deletion vulnerability CVE-2026-54475 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover CVE-2024-7491 HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 - Insecure Direct Object Reference to Unsubscribe