WP eMember < 10.6.6 - Bulk Delete via CSRF
Description
The wp-eMember plugin before 10.6.6 lacks CSRF checks in some places, allowing attackers to make logged-in users perform unwanted actions via CSRF attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wp-eMember plugin before 10.6.6 lacks CSRF checks in some places, allowing attackers to make logged-in users perform unwanted actions via CSRF attacks.
Vulnerability
The wp-eMember WordPress plugin versions before 10.6.6 do not have Cross-Site Request Forgery (CSRF) checks in some places. This means that certain actions within the plugin are not protected by a nonce or other CSRF token, allowing attackers to craft requests that, when executed by an authenticated admin, perform unwanted actions on the admin's behalf. The affected versions include all releases prior to the patched version 10.6.6 [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link or hosting a page that, when visited by a logged-in administrator of the target WordPress site, triggers a forged request to the wp-eMember plugin. The attacker does not need any prior authentication or other privileges; the only requirement is that the victim is logged in and has the necessary capabilities to perform the targeted action (e.g., bulk delete). The victim can be tricked via social engineering (e.g., clicking a link) or by an automatic redirect if the attacker can embed the malicious payload on a site the victim visits. The exact sequence of steps would involve the attacker sending a crafted request that mimics a legitimate action, such as bulk deleting members, without the victim's knowledge [1].
Impact
If successful, the attacker can make the logged-in administrator perform unintended actions within the wp-eMember plugin. The reference mentions that this can be used for bulk deletion of members, which could lead to data loss or disruption of the membership site. The overall impact depends on the specific action that is unprotected, but the attacker gains the ability to execute plugin functions on behalf of the admin, potentially leading to unauthorized modification, deletion, or exposure of member data. The CVSS score is 4.3 (medium) [1].
Mitigation
The vulnerability is fixed in version 10.6.6 of the wp-eMember plugin. Users should update to this version or later immediately. There are no known workarounds for versions prior to 10.6.6, and the plugin should be updated to the latest patched release [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <10.6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF nonce checks on administrative actions allow attackers to forge requests on behalf of authenticated users."
Attack vector
An attacker crafts a malicious page or link that, when visited by a logged-in administrator, triggers a forged request to the wp-eMember plugin's bulk-delete endpoint. Because the plugin lacks CSRF tokens on these actions, the browser automatically includes the victim's session cookies, causing the unwanted bulk deletion of members [ref_id=1].
Affected code
The advisory does not specify exact files or functions. The wp-eMember plugin before version 10.6.6 lacks CSRF checks in some administrative actions, including a bulk-delete feature [ref_id=1].
What the fix does
The advisory states the issue is fixed in version 10.6.6 but does not include a patch diff [ref_id=1]. The remediation likely adds CSRF nonce checks to the affected administrative actions, ensuring that each state-changing request includes a secret token tied to the user's session, which an attacker cannot forge.
Preconditions
- authThe victim must be logged in to WordPress as an administrator (or a user with the capability to perform bulk member deletions)
- inputThe attacker must trick the victim into visiting a crafted HTML page or clicking a malicious link while authenticated
Reproduction
The WPScan advisory does not include a full proof-of-concept, but the vulnerability title "Bulk Delete via CSRF" indicates the attack involves forging a request to the plugin's bulk-delete action [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/01cbc841-a30f-4df5-ab7f-0c2c7469657b/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.