Skip to main content

Wp Emember CVE-2026-28070

| EUVDEUVD-2026-13049 MEDIUM
Missing Authorization (CWE-862)
2026-03-19 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 05:30 euvd
EUVD-2026-13049
Analysis Generated
Mar 19, 2026 - 05:30 vuln.today
CVE Published
Mar 19, 2026 - 05:20 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.

AnalysisAI

WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.

Technical ContextAI

WP eMember is a WordPress membership plugin by Tips and Tricks HQ that manages access control and member authentication through custom security levels and authorization rules. The vulnerability root cause is classified under CWE-862 (Missing Authorization), which describes the failure to enforce proper access control checks before granting access to protected resources. Rather than a cryptographic or authentication failure, this is an authorization logic flaw where the plugin's access control decision points do not properly validate user permissions against configured security levels before rendering restricted content or functionality. The affected CPE (cpe:2.3:a:tips_and_tricks_hq:wp_emember:*:*:*:*:*:*:*:*) confirms the vulnerability spans all versions from inception through 10.2.2, suggesting the authorization flaw is endemic to the core access control implementation rather than introduced in a recent update.

RemediationAI

Update WP eMember to the latest patched version released by Tips and Tricks HQ immediately through the WordPress plugin dashboard or by downloading directly from the vendor. Consult the Patchstack vulnerability advisory (https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve) for the specific patched version number. Until patching is completed, restrict network access to the WordPress site to trusted IP ranges via firewall or Web Application Firewall (WAF) rules, implement additional authorization checks at the web server level using htaccess or nginx directives, and consider temporarily disabling public-facing member-restricted content to prevent unauthorized information disclosure. Review access logs for signs of exploitation attempts and validate that all existing member accounts have appropriate security level assignments.

CVE-2024-5080 HIGH POC
8.8 Jul 13

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload

CVE-2024-5076 HIGH POC
8.8 Jul 13

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to m

CVE-2024-4749 HIGH POC
8.3 Jun 04

The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it

CVE-2024-5715 HIGH POC
7.1 Jul 13

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the

CVE-2024-5744 MEDIUM POC
6.8 Jul 13

The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it

CVE-2024-5077 MEDIUM POC
6.8 Jul 13

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as we

CVE-2024-5081 MEDIUM POC
6.1 Aug 05

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as w

CVE-2024-5079 MEDIUM POC
6.1 Jul 13

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, whi

CVE-2024-5075 MEDIUM POC
5.9 Jul 13

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the

CVE-2024-5074 MEDIUM POC
5.4 Jul 13

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the

CVE-2026-54811 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inj

CVE-2026-28073 HIGH
7.1 Mar 19

A reflected cross-site scripting (XSS) vulnerability exists in the WP eMember WordPress plugin by Tips and Tricks HQ, af

Share

CVE-2026-28070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy