Is CVE-2022-1903 known to be exploited?

14 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Armember – Membership Plugin, Content Restriction, Member Levels, User Profile & Signup

CVE-2022-1903

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password…

Vulnerability class: Broken Access Control

EPSS: 0.783 (99.0th percentile) — read the EPSS interpretation.

Affected products

Unknown Armember – Membership Plugin, Content Restriction, Member Levels, User Profile & Signup — versions 3.4.8

Weakness classification (CWE)

CWE-862 — Missing Authorization

Public proof-of-concept exploits

References

wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-1903?: CVE-2022-1903 is a vulnerability in Armember – Membership Plugin, Content Restriction, Member Levels, User Profile & Signup, classified under Missing Authorization. Published 2022-06-27.
Is CVE-2022-1903 known to be exploited?: 14 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.