Description
The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data.
References (2)
Core 2
Core References
Third Party Advisory
https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281
Scores
CVSS v3
6.3
EPSS
0.0034
EPSS Percentile
25.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
wpindeed/Indeed Membership Pro
7.3 - 8.6
Published
Oct 16, 2024
Tracked Since
Feb 18, 2026