CVE-2025-58000

Vulnerability

The Memberful - Membership Plugin for WordPress (versions 1.75.0 and below) contains a missing authorization vulnerability. The plugin fails to properly enforce access controls on certain functions, allowing users without proper privileges to access functionality that should be restricted to higher-level roles [1].

Exploitation

An attacker does not need authentication to exploit this issue; they can simply send crafted requests to the vulnerable endpoints. This type of broken access control is commonly targeted in mass-exploit campaigns, where attackers automate attacks against thousands of sites simultaneously [1].

Impact

Successful exploitation enables an attacker to perform actions reserved for authorized users, such as modifying plugin settings or accessing sensitive data. The exact impact depends on the unprotected functionality, but it can lead to site compromise or privilege escalation.

Mitigation

The vulnerability has been addressed in version 1.76.0 of the plugin. Users are strongly advised to update immediately. Although the severity is considered low and exploitation unlikely, the potential for mass exploitation warrants prompt action. Patchstack users can enable auto-updates for vulnerable plugins [1].