CVE-2024-5596 - Vulnerability Details - OpenCVE

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Wordpress	Wordpress

References

Link	Providers
https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-352

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-22T05:47:55.999Z

Updated: 2026-04-08T16:47:51.555Z

Reserved: 2024-06-03T12:57:51.027Z

Link: CVE-2024-5596

Vulnrichment

Updated: 2024-08-01T21:18:06.636Z

NVD

Status : Awaiting Analysis

Published: 2024-06-22T06:15:11.470

Modified: 2026-04-08T18:22:09.020

Link: CVE-2024-5596

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-13T11:31:49Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-5596", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-03T12:57:51.027Z", "datePublished": "2024-06-22T05:47:55.999Z", "dateUpdated": "2026-04-08T16:47:51.555Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:51.555Z"}, "affected": [{"vendor": "armember", "product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile & User signup", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation."}], "title": "ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"}, {"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2024-06-03T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2024-06-03T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2024-06-21T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T18:16:14.740709Z", "id": "CVE-2024-5596", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:02:22.041Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.636Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve", "tags": ["x_transferred"]}, {"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve", "tags": ["x_transferred"]}, {"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.636Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5596", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-26T18:16:14.740709Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:02:19.840Z"}}], "cna": {"title": "ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "armember", "product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile & User signup", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-03T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2024-06-03T00:00:00.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2024-06-21T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"}, {"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"}], "descriptions": [{"lang": "en", "value": "The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-22T05:47:55.999Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5596", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.636Z", "dateReserved": "2024-06-03T12:57:51.027Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-22T05:47:55.999Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation."}, {"lang": "es", "value": "El complemento ARMember Premium para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 6.7 incluida. Esto se debe a una funci\u00f3n de validaci\u00f3n nonce implementada incorrectamente en m\u00faltiples funciones. Esto hace posible que atacantes no autenticados modifiquen o eliminen metaopciones y complementos del usuario, lo que puede conducir a una escalada de privilegios limitada."}], "id": "CVE-2024-5596", "lastModified": "2026-04-08T18:22:09.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-06-22T06:15:11.470", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}