CVE-2023-3011

MEDIUM 6.5

ARMember <= 4.0.5 - Cross-Site Request Forgery

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the arm_check_user_cap function. This makes it possible for unauthenticated attackers to perform multiple unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE	CWE-352
Vendor	reputeinfosystems
Product	armember – membership plugin, content restriction, member levels, user profile & user signup
Published	Jul 12, 2023
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for reputeinfosystems armember – membership plugin, content restriction, member levels, user profile & user signup

Be the first to know when new medium vulnerabilities affecting reputeinfosystems armember – membership plugin, content restriction, member levels, user profile & user signup are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

reputeinfosystems / ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

0 ≤ 4.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/42f5f29b-2d83-4b15-82aa-0598f8a2317b?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/2932691/armember-membership/trunk/autoload.php

Credits

Alex Thomas