Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.
AnalysisAI
WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.
Technical ContextAI
WP eMember is a WordPress membership plugin by Tips and Tricks HQ that manages access control and member authentication through custom security levels and authorization rules. The vulnerability root cause is classified under CWE-862 (Missing Authorization), which describes the failure to enforce proper access control checks before granting access to protected resources. Rather than a cryptographic or authentication failure, this is an authorization logic flaw where the plugin's access control decision points do not properly validate user permissions against configured security levels before rendering restricted content or functionality. The affected CPE (cpe:2.3:a:tips_and_tricks_hq:wp_emember:*:*:*:*:*:*:*:*) confirms the vulnerability spans all versions from inception through 10.2.2, suggesting the authorization flaw is endemic to the core access control implementation rather than introduced in a recent update.
RemediationAI
Update WP eMember to the latest patched version released by Tips and Tricks HQ immediately through the WordPress plugin dashboard or by downloading directly from the vendor. Consult the Patchstack vulnerability advisory (https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve) for the specific patched version number. Until patching is completed, restrict network access to the WordPress site to trusted IP ranges via firewall or Web Application Firewall (WAF) rules, implement additional authorization checks at the web server level using htaccess or nginx directives, and consider temporarily disabling public-facing member-restricted content to prevent unauthorized information disclosure. Review access logs for signs of exploitation attempts and validate that all existing member accounts have appropriate security level assignments.
More in Wp Emember
View allThe wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to m
The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it
The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the
The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as we
The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as w
The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, whi
The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the
The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the
Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inj
A reflected cross-site scripting (XSS) vulnerability exists in the WP eMember WordPress plugin by Tips and Tricks HQ, af
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13049