CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43240 – WordPress Indeed Ultimate Membership Pro plugin <= 12.6 - Unauthenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-43240
12 Aug 2024 — Improper Privilege Management vulnerability in azzaroco Ultimate Membership Pro allows Privilege Escalation.This issue affects Ultimate Membership Pro: from n/a through 12.6. The Indeed Membership Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 12.7. This is due to the plugin not properly restricting access to functionality that allows privilege assignment. This makes it possible for unauthenticated attackers to gain access to accounts that have higher pr... • https://patchstack.com/database/vulnerability/indeed-membership-pro/wordpress-indeed-ultimate-membership-pro-plugin-12-6-unauthenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43241 – WordPress Indeed Ultimate Membership Pro plugin <= 12.6 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43241
12 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in azzaroco Ultimate Membership Pro allows Reflected XSS.This issue affects Ultimate Membership Pro: from n/a through 12.6. The Indeed Membership Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 12.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in ... • https://patchstack.com/database/vulnerability/indeed-membership-pro/wordpress-indeed-ultimate-membership-pro-plugin-12-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43242 – WordPress Indeed Ultimate Membership Pro plugin <= 12.6 - Unauthenticated PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43242
12 Aug 2024 — Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro allows Object Injection.This issue affects Ultimate Membership Pro: from n/a through 12.6. The Indeed Membership Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12.7 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an a... • https://patchstack.com/database/vulnerability/indeed-membership-pro/wordpress-indeed-ultimate-membership-pro-plugin-12-6-unauthenticated-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •