The WP eMember plugin for WordPress exhibits a missing authorization weakness (CWE‑862) that permits users to act with higher privileges than intended. Affected versions are all releases up through v10.2.2. Exploitation can allow an attacker to read or modify protected data, configure settings, or perform administrative actions without proper authentication. The CVSS v3 score of 5.3 indicates moderate severity, reflecting potential for unauthorized access rather than complete code execution or denial of service.

Affected systems include any WordPress site running the Tips and Tricks HQ WP eMember plugin from the earliest available release through v10.2.2. Prior versions are equally impacted because the issue is present until the update to 10.2.2; an update to a newer version or removal of the plugin is necessary to mitigate the risk.

Risk remains medium due to the lack of publicly available exploits or EPSS data, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote via the web interface, requiring a user to navigate to a protected resource that is incorrectly accessible. There is no official workaround; therefore, sites should upgrade the plugin promptly or disable affected functionality until a patched version is released.