{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25308", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:39.016Z", "datePublished": "2026-02-19T08:26:53.408Z", "dateUpdated": "2026-04-28T16:14:54.724Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-membership", "product": "Simple Membership", "vendor": "wp.insider", "versions": [{"changes": [{"at": "4.7.0", "status": "unaffected"}], "lessThanOrEqual": "4.6.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.755Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simple Membership: from n/a through <= 4.6.9.</p>"}], "value": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.724Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-6-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Simple Membership plugin <= 4.6.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:39:15.802349Z", "id": "CVE-2026-25308", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:52:58.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:39:15.802349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:39:08.936Z"}}], "cna": {"title": "WordPress Simple Membership plugin <= 4.6.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wp.insider", "product": "Simple Membership", "versions": [{"status": "affected", "changes": [{"at": "4.7.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.6.9"}], "packageName": "simple-membership", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:02.755Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-6-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simple Membership: from n/a through <= 4.6.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25308", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:54.724Z", "dateReserved": "2026-02-02T12:20:39.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:53.408Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en wp.insider Simple Membership simple-membership permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Simple Membership: desde n/a hasta &lt;= 4.6.9."}], "id": "CVE-2026-25308", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:15.060", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-6-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Simple Membership", "source": "cna", "vendor": "wp.insider"}, "product": "simple_membership", "vendor": "wp.insider"}], "analysis": {"en": {"generated_at": "2026-04-16T00:33:35.168989+00:00", "value": {"mitigation_remediation": ["Update the Simple Membership plugin to a version newer than 4.6.9, which removes the broken access control logic.", "Re\u2011evaluate the plugin\u2019s security level settings and enforce the highest level approved for your site\u2019s needs.", "Verify that all user roles have the appropriate capabilities and that no legacy roles remain with elevated permissions."], "summary": {"action": "Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "The Simple Membership plugin for WordPress, version 4.6.9 and earlier, is affected. This includes all installations of the plugin where the security level setting has been modified or remains at the default insecure configuration. The impact applies to any WordPress site using these plugin versions.", "description_and_impact": "An authorization flaw in Simple Membership allows a user to exploit incorrectly configured access control security levels. The vulnerability enables bypassing intended restrictions, giving the attacker broader access to protected areas or content. It is identified as a broken access control weakness (CWE-862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to use this flaw by interacting with the plugin\u2019s configuration interfaces or by submitting content that triggers elevated privilege checks. Successful exploitation would allow an attacker to bypass authentication controls, potentially gaining unauthorized access to restricted content or administrative functions."}}}}, "created": "2026-02-20T10:09:11.716420+00:00", "updated": "2026-04-16T00:45:15.962902+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp.insider", "wp.insider$PRODUCT$simple_membership"]}