{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28070", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:39.590Z", "datePublished": "2026-03-19T05:20:03.784Z", "dateUpdated": "2026-04-28T16:15:06.675Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WP eMember", "vendor": "Tips and Tricks HQ", "versions": [{"lessThanOrEqual": "v10.2.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP eMember: from n/a through v10.2.2.</p>"}], "value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.675Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress WP eMember plugin <= v10.2.2 - Broken Access Control vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:48:26.061366Z", "id": "CVE-2026-28070", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:49:02.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28070", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:48:26.061366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:48:54.862Z"}}], "cna": {"title": "WordPress WP eMember plugin <= v10.2.2 - Broken Access Control vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tips and Tricks HQ", "product": "WP eMember", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "v10.2.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP eMember: from n/a through v10.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T05:20:03.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28070", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:49:02.728Z", "dateReserved": "2026-02-25T12:13:39.590Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T05:20:03.784Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Tips and Tricks HQ WP eMember permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP eMember: desde n/a hasta v10.2.2."}], "id": "CVE-2026-28070", "lastModified": "2026-04-28T19:37:26.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T06:16:26.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.2.2]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "WP eMember", "source": "cna", "vendor": "Tips and Tricks HQ"}, "product": "wp_emember", "vendor": "tipsandtricks-hq"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:20:31.933048+00:00", "value": {"mitigation_remediation": ["Upgrade WP eMember to the latest version (>=10.2.3) once available.", "If an update is not possible, restrict user access levels or disable the plugin to prevent unauthorized use.", "Monitor the WordPress admin area for anomalous activity and review user permissions.", "Check the vendor\u2019s website or plugin repository for security notices regularly."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems include any WordPress site running the Tips and Tricks HQ WP eMember plugin from the earliest available release through v10.2.2. Prior versions are equally impacted because the issue is present until the update to 10.2.2; an update to a newer version or removal of the plugin is necessary to mitigate the risk.", "description_and_impact": "The WP eMember plugin for WordPress, produced by Tips and Tricks HQ, contains a missing authorization flaw (CWE-862). The vulnerability permits attackers to exploit incorrectly configured access control settings, enabling them to act with higher privileges than intended. The issue applies to all releases up through v10.2.2. Exploitation may allow unauthorized reading or modification of protected data, adjustment of plugin settings, or other administrative actions without proper authentication. The CVSS v3 score of 5.3 indicates moderate severity, reflecting the risk of unauthorized access rather than full remote code execution or denial of service.", "risk_and_exploitability": "Risk remains medium, with an EPSS score of 0.00013 indicating a very low exploitation probability, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote via the web interface, requiring a user to navigate to a protected resource that is incorrectly accessible. There is no official workaround; therefore, sites should upgrade the plugin promptly or disable affected functionality until a patched version is released."}}}}, "created": "2026-03-19T08:54:40.558030+00:00", "updated": "2026-04-28T22:30:41.600992+00:00", "vendors": ["tipsandtricks-hq", "tipsandtricks-hq$PRODUCT$wp_emember", "wordpress", "wordpress$PRODUCT$wordpress"]}