Vulnerabilities > CVE-2022-1903 - Missing Authorization vulnerability in Armemberplugin Armember

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Vulnerable Configurations

Part Description Count
Application
Armemberplugin
1

Common Weakness Enumeration (CWE)