cbcvebase.
CVE-2022-1903
published 2022-06-27

CVE-2022-1903: The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX…

PriorityP180high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.52%
94.4th percentile
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Affected

1 ranges
VendorProductVersion rangeFixed in
armemberpluginarmember< 3.4.83.4.8

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=arm_shortcode_form_ajax_action&user_pass={{randstr}}&repeat_pass={{randstr}}&arm_action=change-password&key2=x&action2=rp&login2=admin
otherarm_shortcode_form_ajax_action
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the AJAX action parameter 'arm_shortcode_form_ajax_action' combined with 'arm_action=change-password' from unauthenticated sessions.
  • Alert on HTTP 200 responses to the above POST request whose body contains both 'Your Password has been reset' and 'arm_success_msg', indicating a successful unauthenticated password reset.
  • Flag POST bodies to admin-ajax.php that include 'arm_action=change-password' and 'action2=rp' parameters, which are the specific parameters used in the unauthenticated account takeover exploit.
  • The vulnerability is exploitable by unauthenticated users (no session cookie or nonce required); correlate admin-ajax.php POST requests with 'arm_shortcode_form_ajax_action' from IPs with no prior authenticated session.
  • ·The exploit requires knowing the target username (e.g., 'admin'); the POST body parameter 'login2' specifies the victim account. Detections should account for variations in the 'login2' value beyond just 'admin'.
  • ·Only ARMember plugin versions before 3.4.8 are vulnerable; ensure version-based filtering is applied when triaging alerts to reduce false positives on patched installations.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.