CVE-2022-1903
Description
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
NVD
Severity: HIGH
CVE ID: CVE-2022-1903
CVSS Score: 8.1
CVSS Metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2022-1903
Refrence: Project Discovery GitHub
biulove0x
ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
Refrence: GitHub