The WP eMember plugin for WordPress, produced by Tips and Tricks HQ, contains a missing authorization flaw (CWE-862). The vulnerability permits attackers to exploit incorrectly configured access control settings, enabling them to act with higher privileges than intended. The issue applies to all releases up through v10.2.2. Exploitation may allow unauthorized reading or modification of protected data, adjustment of plugin settings, or other administrative actions without proper authentication. The CVSS v3 score of 5.3 indicates moderate severity, reflecting the risk of unauthorized access rather than full remote code execution or denial of service.

Affected systems include any WordPress site running the Tips and Tricks HQ WP eMember plugin from the earliest available release through v10.2.2. Prior versions are equally impacted because the issue is present until the update to 10.2.2; an update to a newer version or removal of the plugin is necessary to mitigate the risk.

Risk remains medium, with an EPSS score of 0.00013 indicating a very low exploitation probability, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote via the web interface, requiring a user to navigate to a protected resource that is incorrectly accessible. There is no official workaround; therefore, sites should upgrade the plugin promptly or disable affected functionality until a patched version is released.