CVE-2023-3011
published 2023-07-12CVE-2023-3011: The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect…
PriorityP340high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.27%
18.2th percentile
The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the arm_check_user_cap function. This makes it possible for unauthenticated attackers to perform multiple unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| armemberplugin | armember | < 4.0.6 | 4.0.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ARMember Plugin up to 4.0.5 on WordPress cross-site request forgery
vuldb·2026-04-10·CVSS 6.5
CVE-2023-3011 [MEDIUM] ARMember Plugin up to 4.0.5 on WordPress cross-site request forgery
A vulnerability identified as problematic has been detected in ARMember Plugin up to 4.0.5 on WordPress. This impacts an unknown function. This manipulation causes cross-site request forgery.
This vulnerability is handled as CVE-2023-3011. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-985x-4r2c-5qx3: The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4
ghsa_unreviewed·2023-07-12
CVE-2023-3011 [HIGH] CWE-352 GHSA-985x-4r2c-5qx3: The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4
The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the arm_check_user_cap function. This makes it possible for unauthenticated attackers to perform multiple unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/2932691/armember-membership/trunk/autoload.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/42f5f29b-2d83-4b15-82aa-0598f8a2317b?source=cvehttps://plugins.trac.wordpress.org/changeset/2932691/armember-membership/trunk/autoload.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/42f5f29b-2d83-4b15-82aa-0598f8a2317b?source=cve
2023-07-12
Published