WordPress Indeed Ultimate Membership Pro plugin <= 12.6 - Unauthenticated PHP Object Injection vulnerability
CVE-2024-43242

10CRITICAL

Key Information:

Vendor: WordPress
Status: Ultimate Membership Pro
Vendor: CVE Published:; 19 August 2024

Summary

The vulnerability identified in Ultimate Membership Pro allows for deserialization of untrusted data, which can lead to object injection. This flaw affects versions from n/a to 12.6, presenting significant security risks for users leveraging this plugin. Attackers can exploit this vulnerability to create malicious payloads that may compromise the integrity of the application and its data.

Affected Version(s)

Ultimate Membership Pro <= 12.6

References

https://patchstack.com/database/vulnerability/indeed-memb...

vdb-entry

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 19, 2024

Credit

Rafie Muhammad (Patchstack)