Stored Cross-Site Scripting Vulnerability in Ultimate Member Plugin for WordPress
CVE-2024-2765

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vendor: CVE Published:; 2 May 2024

Summary

The Ultimate Member plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the manipulation of Skype and Spotify URL parameters. This issue is present in all versions up to and including 2.8.4, stemming from inadequate input sanitization and output escaping. Authenticated users with subscriber-level access or higher can exploit this flaw to inject arbitrary scripts into web pages. When other users visit the compromised pages, their browsers will execute the injected scripts, potentially leading to session hijacking, data theft, or other malicious activities.

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin * <= 2.8.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/ultimatemember/ultimatemember/blob/de0...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Mar 21, 2024

Credit

Kevin Wydler