CVE-2022-0885

CRITICAL EXPLOITED NUCLEI

Memberhero Member Hero < 1.0.9 - Missing Authorization

Title source: rule

Description

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.

Nuclei Templates (1)

Member Hero <=1.0.9 - Remote Code Execution

CRITICALVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df

Scores

CVSS v3 9.8

EPSS 0.6555

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-19

CWE

CWE-862 CWE-94

Status published

Products (1)

memberhero/member_hero < 1.0.9

Published Jun 13, 2022

Tracked Since Feb 18, 2026