CVE-2019-10673 – Ultimate Member <= 2.0.39 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-10673
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el formulario de edición del perfil de usuario conectado en el plugin Ultimate Member, en versiones anteriores a la 2.0.40 para WordPress, permite a los atacantes obtener acceso de administrador y, por consiguiente, extraer información sensible y ejecutar código arbitrario. Esto ocurre porque el atacante puede cambiar la dirección de correo electrónico en el perfil de administrador y, a continuación, restablecer la contraseña de administrador utilizando el formulario de WordPress "password forget".</ WordPress Ultimate Member plugin version 2.0.38 suffers from a cross site request forgery vulnerability. • http://packetstormsecurity.com/files/152315/WordPress-Ultimate-Member-2.0.38-Cross-Site-Request-Forgery.html https://wpvulndb.com/vulnerabilities/9250 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-17866 – Ultimate Member <= 2.0.27 - Multiple Cross-Site Scripting vulnerabilities
https://notcve.org/view.php?id=CVE-2018-17866
Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en includes/core/um-actions-login.php en el plugin Ultimate Member - User Profile Membership en versiones anteriores a la 2.0.28 para WordPress permite que los atacantes remotos inyecten scripts web o HTML arbitrarios mediante los campos "Primary button Text" o "Second button text". • https://serhack.me/articles/ultimate-member-xss-security-issue https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9615 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-13136 – Ultimate Member <= 2.0.17 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-13136
The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. El plugin Ultimate Member (también conocido como ultimatemember) en versiones anteriores a la 2.0.18 para WordPress tiene Cross-Site Scripting (XSS) mediante la pantalla de configuración wp-admin. • https://github.com/ultimatemember/ultimatemember/issues/456 https://github.com/ultimatemember/ultimatemember/releases/tag/2.0.18 https://wpvulndb.com/vulnerabilities/9708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-0585 – Ultimate Member <= 1.3.88 - Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-0585
Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin Ultimate Member, en versiones anteriores a la 2.0.4 para WordPress, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-6944 – Ultimate Member <= 2.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-6944
core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable. core/lib/upload/um-file-upload.php en el plugin UltimateMember 2.0 para WordPress tiene una vulnerabilidad de Cross-Site Scripting (XSS) debido a que fracasa a la hora de sanear las entradas del usuario que se pasan a la variable $temp. WordPress UltimateMember plugin version 2.0 suffers from multiple cross site scripting vulnerabilities. • https://packetstormsecurity.com/files/146403/WordPress-UltimateMember-2.0-Cross-Site-Scripting.html https://wpvulndb.com/vulnerabilities/9705 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •