Back to overview

CVE-2026-15302

MEDIUM
5.3
CVSS 3.1
Description
The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the 'X-FILENAME' HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the 'wp-content/uploads/armember' directory.

Metadata

CVE ID
CVE-2026-15302
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-09 15:55 UTC
Published
2026-07-10 04:31 UTC
Last updated
2026-07-10 04:31 UTC
Primary CWE
CWE-36
CWE-36 Absolute Path Traversal
Vendor / Product
reputeinfosystems / ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
reputeinfosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup 0 ≤ 4.0.27
Weakness (CWE)
CWESourceDescription
CWE-36 cna CWE-36 Absolute Path Traversal
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview