CVE-2022-0885
Member Hero <= 1.0.9 - Unauthenticated RCE
Vexday Risk Score
18Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS —EPSS 9.1%KEV nãoPoC —Nuclei simMetasploit —Patch —
Lifecycle
13 Jun 2022Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
Affected products
Unknown · Member HeroWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →