Ultimate Member Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-2123

7.2HIGH

Key Information:

Vendor
Wordpress
Status
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vendor
CVE Published:
13 March 2024

Summary

The Ultimate Member Plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping. This flaw exists in numerous parameters across all versions up to and including 2.8.3. It allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts are activated whenever a user accesses a compromised page, posing potential risks to user data and overall website security. It is crucial for users of the Ultimate Member Plugin to implement appropriate security measures to mitigate these risks.

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin * <= 2.8.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ultimate-membe...
https://plugins.trac.wordpress.org/browser/ultimate-membe...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
.