CVE-2025-70150
Published: 18 February 2026
Summary
CVE-2025-70150 is a critical-severity Missing Authorization (CWE-862) vulnerability in Codeastro Membership Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-70150 is a missing authentication vulnerability (CWE-862) in the CodeAstro Membership Management System version 1.0, specifically affecting the delete_members.php component. This flaw enables unauthenticated attackers to delete arbitrary member records by supplying an id parameter. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Unauthenticated remote attackers can exploit this vulnerability by directly accessing the delete_members.php endpoint with a manipulated id parameter, resulting in the permanent deletion of any member record in the system. Successful exploitation disrupts data integrity and availability, potentially allowing attackers to sabotage membership databases without detection or authorization.
Advisories and additional details on the vulnerability are documented in references including the product page at https://www.phpscriptsonline.com/product/membership-management-software and analysis at https://youngkevinn.github.io/posts/CVE-2025-70150-Membership-Unauth-Delete/. The CVE was published on 2026-02-18T18:24:20.040.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207781
Vulnerability details
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated attackers can exploit the public-facing web application (T1190) to delete arbitrary member records, enabling data destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Explicitly defines and authorizes only specific actions without identification or authentication, preventing delete operations like those in delete_members.php from being accessible to unauthenticated attackers.
Enforces approved access control policies to block unauthenticated access to sensitive operations such as deleting member records via the id parameter.
Applies least privilege to ensure delete functions require appropriate authorization, mitigating unauthorized deletions by unauthenticated users.