CVE-2025-70148
Published: 18 February 2026
Summary
CVE-2025-70148 is a high-severity Missing Authorization (CWE-862) vulnerability in Codeastro Membership Management System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth/IDOR in public web app component directly enables remote exploitation for data access via T1190.
NVD Description
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR).
Deeper analysisAI
CVE-2025-70148 affects the CodeAstro Membership Management System version 1.0, specifically the print_membership_card.php component. The vulnerability stems from missing authentication and authorization, enabling an insecure direct object reference (IDOR) condition. Unauthenticated attackers can access membership card data for arbitrary users by sending direct requests with a manipulated id parameter. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-862 (Missing Authorization).
Any unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. By crafting HTTP requests to print_membership_card.php and altering the id parameter to target another user's identifier, attackers can retrieve sensitive membership card data, achieving high-impact confidentiality violations without affecting integrity or availability.
Mitigation details and further advisories are referenced in the following resources: the product page at https://www.phpscriptsonline.com/product/membership-management-software and the analysis post at https://youngkevinn.github.io/posts/CVE-2025-70148-Membership-IDOR/. The CVE was published on 2026-02-18T18:24:19.790.
Details
- CWE(s)