CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13136 – Ultimate Member <= 2.0.17 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-13136
The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. El plugin Ultimate Member (también conocido como ultimatemember) en versiones anteriores a la 2.0.18 para WordPress tiene Cross-Site Scripting (XSS) mediante la pantalla de configuración wp-admin. • https://github.com/ultimatemember/ultimatemember/issues/456 https://github.com/ultimatemember/ultimatemember/releases/tag/2.0.18 https://wpvulndb.com/vulnerabilities/9708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0586 – Ultimate Member <= 2.0.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-0586
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors. Existe una vulnerabilidad de salto de directorio en la función shortcodes en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que atacantes autenticados lean archivos arbitrarios mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0585 – Ultimate Member <= 1.3.88 - Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-0585
Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin Ultimate Member, en versiones anteriores a la 2.0.4 para WordPress, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0589 – Ultimate Member <= 2.0.3 - Improper Access Control
https://notcve.org/view.php?id=CVE-2018-0589
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors. El plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress permite que los atacantes remotos autenticados omitan la restricción de acceso para añadir un nuevo formulario en la página "Forms" mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0588 – Ultimate Member <= 2.0.39 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-0588
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en la función AJAX en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que atacantes remotos lean archivos arbitrarios mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •