Cyber Resilience

CVE-2025-70148

HighPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 34.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70148 is a high-severity Missing Authorization (CWE-862) vulnerability in Codeastro Membership Management System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-70148 affects the CodeAstro Membership Management System version 1.0, specifically the print_membership_card.php component. The vulnerability stems from missing authentication and authorization, enabling an insecure direct object reference (IDOR) condition. Unauthenticated attackers can access membership card data for arbitrary users by sending direct requests with a manipulated id parameter. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-862 (Missing Authorization).

Any unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. By crafting HTTP requests to print_membership_card.php and altering the id parameter to target another user's identifier, attackers can retrieve sensitive membership card data, achieving high-impact confidentiality violations without affecting integrity or availability.

Mitigation details and further advisories are referenced in the following resources: the product page at https://www.phpscriptsonline.com/product/membership-management-software and the analysis post at https://youngkevinn.github.io/posts/CVE-2025-70148-Membership-IDOR/. The CVE was published on 2026-02-18T18:24:19.790.

EU & UK References

Vulnerability details

Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing auth/IDOR in public web app component directly enables remote exploitation for data access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70150Same product: Codeastro Membership Management System
CVE-2025-70149Same product: Codeastro Membership Management System
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862

Affected Assets

codeastro
membership management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to information and resources, directly mitigating the missing authentication and authorization that allows IDOR exploitation in print_membership_card.php.

prevent

Defines and permits only approved actions without identification or authentication, prohibiting unauthenticated requests with manipulated id parameters to access arbitrary membership card data.

prevent

Requires identification and authentication for non-organizational users, preventing unauthenticated attackers from exploiting the vulnerable endpoint.

References