CVE-2017-1002008

CRITICAL

Membership Simplified - Unrestricted File Upload

Title source: rule

Description

Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.

Exploits (1)

exploitdb WORKING POC

by The Martian · pythonwebappsphp

https://www.exploit-db.com/exploits/41622

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] http://www.vapidlabs.com/advisory.php?v=187

[Not Applicable] https://wordpress.org/plugins/membership-simplified-for-oap-members-only

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/8777

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41622/

Scores

CVSS v3 9.8

EPSS 0.3996

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

membership_simplified_project/membership_simplified 1.58

William DeAngelis/membership-simplified-for-oap-members-only unspecified - 1.58

Published Sep 14, 2017

Tracked Since Feb 18, 2026