CVE-2023-3011: 
WordPress vulnerability analysis and mitigation

The ARMember WordPress plugin (versions up to 4.0.5) was identified with a Cross-Site Request Forgery vulnerability (CVE-2023-3011). The vulnerability was discovered due to missing or incorrect nonce validation in the armcheckuser_cap function. This security issue was disclosed on July 12, 2023, affecting the ARMember membership plugin for WordPress installations (NVD CVE).

The vulnerability stems from improper implementation of security controls in the armcheckuser_cap function. The CVSS v3.1 base score was assessed at 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Wordfence assessed it at 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD CVE).

The vulnerability allows unauthenticated attackers to perform multiple unauthorized actions on affected WordPress sites. If successfully exploited, attackers can execute actions with administrative privileges, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD CVE).

A patch was released to address this vulnerability, and users are advised to upgrade to version 4.0.6 or later of the ARMember plugin. The fix was implemented through changes in the plugin's autoload.php file (WordPress Patch).