CVE-2019-14945 – Ultimate Member <= 2.0.53 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14945
The ultimate-member plugin before 2.0.54 for WordPress has XSS. El plugin ultimate-member antes de la versión 2.0.54 para WordPress tiene XSS. • https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9506 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-14946 – Ultimate Member <= 2.0.51 - Cross-Site Request Forgery and Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14946
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. El plugin ultimate-member anterior a la versión 2.0.52 para WordPress tiene XSS relacionado con las operaciones de creación y edición de roles de mensajería unificada. • https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-14947 – Ultimate Member <= 2.0.51 - Cross-Site Request Forgery and Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14947
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. El plugin ultimate-member anterior a la versión 2.0.52 para WordPress tiene XSS durante una actualización de cuenta. • https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10271 – Ultimate Member <= 2.0.39 - Unauthorized Profile Modification
https://notcve.org/view.php?id=CVE-2019-10271
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for example) intercept an upload-picture request and modify the user_id parameter. • https://cxsecurity.com/issue/WLB-2019060120 • CWE-862: Missing Authorization •
CVE-2019-10270 – Ultimate Member <= 2.0.39 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-10270
An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. • https://cxsecurity.com/issue/WLB-2019060101 • CWE-269: Improper Privilege Management CWE-640: Weak Password Recovery Mechanism for Forgotten Password •