Description
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.3.
Published: 2025-08-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a missing authorization check that permits users to alter plugin configuration. This weakness can enable an attacker to modify membership settings, potentially granting themselves or others elevated permissions, undermining site security, and impacting the integrity of membership controls. The issue is identified as CWE‑862, indicating improper authorization.

Affected Systems

Affected systems are WordPress sites running the WP Membership plugin by e-plugins, version 1.6.3 and earlier. No specific sub‑versions are listed; all releases up to and including 1.6.3 are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 reflects moderate risk, and the EPSS score of < 1 % indicates a very low likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need authenticated access to the WordPress backend and would exploit the flaw by navigating to the plugin’s settings page. The combination of moderate severity and low exploit probability suggests a measured threat that should be addressed promptly to prevent potential privilege escalation.

Generated by OpenCVE AI on April 30, 2026 at 08:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Membership plugin to the latest available version (greater than 1.6.3).
  • Verify that only trusted administrators have access to the plugin’s settings and review user role capabilities.
  • If the plugin is not required for site operation, remove or disable it entirely.

Generated by OpenCVE AI on April 30, 2026 at 08:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24909 Missing Authorization vulnerability in e-plugins WP Membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through 1.6.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in e-plugins WP Membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through 1.6.3. Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.3.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Fri, 15 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins wp Membership
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins wp Membership
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in e-plugins WP Membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through 1.6.3.
Title WordPress WP Membership Plugin <= 1.6.3 - Settings Change Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

E-plugins Wp Membership
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.848Z

Reserved: 2025-07-28T10:56:24.796Z

Link: CVE-2025-54717

cve-icon Vulnrichment

Updated: 2025-08-14T19:30:27.859Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:37.950

Modified: 2026-04-23T15:32:52.973

Link: CVE-2025-54717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:00:20Z

Weaknesses