CVE-2024-11299: 
WordPress vulnerability analysis and mitigation

The Memberpress plugin for WordPress has been identified with a Sensitive Information Exposure vulnerability (CVE-2024-11299) affecting all versions up to and including 1.11.37. The vulnerability allows unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator through the WordPress core search feature (NVD).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 Base Score of 5.3 (MEDIUM). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U) with Low confidentiality impact (C:L), No integrity impact (I:N), and No availability impact (A:N) (NVD).

The vulnerability enables unauthenticated attackers to access sensitive information from posts that should only be accessible to users with administrator-level permissions. This could lead to the exposure of confidential content that was intended to be restricted to specific user roles (NVD).

The vulnerability has been addressed in version 1.12.0 of the Memberpress plugin. Users are advised to update to this version or later to protect against potential exploitation. The fix was implemented as part of a security audit and hardening process (Memberpress Changelog).