CVE-2022-1903
published 2022-06-27CVE-2022-1903: The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX…
PriorityP180high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.52%
94.4th percentile
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| armemberplugin | armember | < 3.4.8 | 3.4.8 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=arm_shortcode_form_ajax_action&user_pass={{randstr}}&repeat_pass={{randstr}}&arm_action=change-password&key2=x&action2=rp&login2=admin↗
- →Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the AJAX action parameter 'arm_shortcode_form_ajax_action' combined with 'arm_action=change-password' from unauthenticated sessions. ↗
- →Alert on HTTP 200 responses to the above POST request whose body contains both 'Your Password has been reset' and 'arm_success_msg', indicating a successful unauthenticated password reset. ↗
- →Flag POST bodies to admin-ajax.php that include 'arm_action=change-password' and 'action2=rp' parameters, which are the specific parameters used in the unauthenticated account takeover exploit. ↗
- →The vulnerability is exploitable by unauthenticated users (no session cookie or nonce required); correlate admin-ajax.php POST requests with 'arm_shortcode_form_ajax_action' from IPs with no prior authenticated session. ↗
- ·The exploit requires knowing the target username (e.g., 'admin'); the POST body parameter 'login2' specifies the victim account. Detections should account for variations in the 'login2' value beyond just 'admin'. ↗
- ·Only ARMember plugin versions before 3.4.8 are vulnerable; ensure version-based filtering is applied when triaging alerts to reduce false positives on patched installations. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84p8-fx26-f9cw: The ARMember WordPress plugin before 3
ghsa_unreviewed·2022-06-28
CVE-2022-1903 [HIGH] CWE-862 GHSA-84p8-fx26-f9cw: The ARMember WordPress plugin before 3
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
VulnCheck
armemberplugin armember Missing Authorization
vulncheck·2022·CVSS 8.1
CVE-2022-1903 [HIGH] armemberplugin armember Missing Authorization
armemberplugin armember Missing Authorization
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
Affected: armemberplugin armember
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/armember-membership/wordpress-armember-plugin-3-4-7-unauthenticated-admin-account-takeover-vulnerability
No detection rules found.
Nuclei
ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
nuclei·CVSS 8.1
CVE-2022-1903 [HIGH] ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.
Template:
id: CVE-2022-1903
info:
name: ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
author: theamanrawat
severity: high
description: |
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.
impact: |
An attack
2022-06-27
Published
Exploited in the wild