CVE-2022-2273: 
WordPress vulnerability analysis and mitigation

The Simple Membership WordPress plugin versions prior to 4.1.3 contained a membership privilege escalation vulnerability (CVE-2022-2273). The vulnerability was discovered and publicly disclosed on July 6, 2022. The issue affects the membership functionality of the Simple Membership plugin but does not impact WordPress core roles (WPScan).

The vulnerability stems from improper validation of the membershiplevel parameter when editing a user profile. Members can exploit this by adding the membershiplevel parameter to the POST request during profile updates, allowing them to escalate to a higher membership level. The vulnerability has been assigned a CVSS score of 4.6 (Medium) and is classified under CWE-269. The issue specifically relates to broken authentication and session management under OWASP Top 10 category A2 (WPScan).

When exploited, this vulnerability allows authenticated users to elevate their membership level within the plugin's hierarchy. An attacker with a lower membership level can modify their privileges to gain access to restricted content and features that should only be available to higher-tier members (WPScan).

The vulnerability has been fixed in version 4.1.3 of the Simple Membership plugin. Site administrators should update to this version or later to protect against this security issue (WPScan).