CVE-2025-70148
Published: 18 February 2026
Summary
CVE-2025-70148 is a high-severity Missing Authorization (CWE-862) vulnerability in Codeastro Membership Management System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-70148 affects the CodeAstro Membership Management System version 1.0, specifically the print_membership_card.php component. The vulnerability stems from missing authentication and authorization, enabling an insecure direct object reference (IDOR) condition. Unauthenticated attackers can access membership card data for arbitrary users by sending direct requests with a manipulated id parameter. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-862 (Missing Authorization).
Any unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. By crafting HTTP requests to print_membership_card.php and altering the id parameter to target another user's identifier, attackers can retrieve sensitive membership card data, achieving high-impact confidentiality violations without affecting integrity or availability.
Mitigation details and further advisories are referenced in the following resources: the product page at https://www.phpscriptsonline.com/product/membership-management-software and the analysis post at https://youngkevinn.github.io/posts/CVE-2025-70148-Membership-IDOR/. The CVE was published on 2026-02-18T18:24:19.790.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207908
Vulnerability details
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth/IDOR in public web app component directly enables remote exploitation for data access via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to information and resources, directly mitigating the missing authentication and authorization that allows IDOR exploitation in print_membership_card.php.
Defines and permits only approved actions without identification or authentication, prohibiting unauthenticated requests with manipulated id parameters to access arbitrary membership card data.
Requires identification and authentication for non-organizational users, preventing unauthenticated attackers from exploiting the vulnerable endpoint.