Cyber Posture

CVE-2025-70150

CriticalPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Explicitly defines and authorizes only specific actions without identification or authentication, preventing delete operations like those in delete_members.php from being accessible to unauthenticated attackers.

AC-3 Access Enforcement good match
prevent

Enforces approved access control policies to block unauthenticated access to sensitive operations such as deleting member records via the id parameter.

AC-6 Least Privilege good match
prevent

Applies least privilege to ensure delete functions require appropriate authorization, mitigating unauthorized deletions by unauthenticated users.

Security SummaryAI

CVE-2025-70150 is a missing authentication vulnerability (CWE-862) in the CodeAstro Membership Management System version 1.0, specifically affecting the delete_members.php component. This flaw enables unauthenticated attackers to delete arbitrary member records by supplying an id parameter. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability by directly accessing the delete_members.php endpoint with a manipulated id parameter, resulting in the permanent deletion of any member record in the system. Successful exploitation disrupts data integrity and availability, potentially allowing attackers to sabotage membership databases without detection or authorization.

Advisories and additional details on the vulnerability are documented in references including the product page at https://www.phpscriptsonline.com/product/membership-management-software and analysis at https://youngkevinn.github.io/posts/CVE-2025-70150-Membership-Unauth-Delete/. The CVE was published on 2026-02-18T18:24:20.040.

Details

CWE(s)
CWE-862

Affected Products

codeastro
membership management system
1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Unauthenticated attackers can exploit the public-facing web application (T1190) to delete arbitrary member records, enabling data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References