CVE-2022-1903

HIGH EXPLOITED NUCLEI

ARMember <3.4.8 - Auth Bypass

Title source: llm

Description

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Exploits (1)

nomisec WORKING POC 1 stars

by biulove0x · poc

https://github.com/biulove0x/CVE-2022-1903

View Code ZIP pw:eip

Nuclei Templates (1)

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

HIGHVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08

Scores

CVSS v3 8.1

EPSS 0.8265

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-06-06

CWE

CWE-862

Status published

Products (1)

armemberplugin/armember < 3.4.8

Published Jun 27, 2022

Tracked Since Feb 18, 2026