CVE-2026-28070

Vulnerability

Description The WP eMember plugin for WordPress, through version 10.2.2, suffers from a missing authorization vulnerability. The plugin fails to properly check user permissions when performing certain actions, leading to incorrectly configured access control security levels [1]. This broken access control issue is specifically a missing authorization, authentication, or nonce token check in a function [1].

Exploitation

Conditions An attacker can exploit this vulnerability by sending crafted requests to the vulnerable plugin functions without needing any prior authentication or elevated privileges. Because the access control checks are absent or misconfigured, the plugin cannot distinguish between legitimate administrative requests and those from unprivileged users [1].

Impact

Successful exploitation allows an unprivileged attacker to execute actions normally reserved for higher-privileged roles, such as administrators. This can lead to unauthorized access to sensitive data, modification of site settings, or complete site compromise, depending on the vulnerable functionality [1].

Mitigation

Users must update the WP eMember plugin to version 10.2.3 or later, as soon as possible. If an immediate update is not feasible, contact your hosting provider or a web developer for assistance. This vulnerability has been noted as likely used in mass exploitation campaigns against hundreds of thousands of websites [1].