CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0587 – Ultimate Member < 2.0.4 - Authenticated Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2018-0587
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors. Vulnerabilidad de subida de archivos sin restricción en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que usuarios autenticados remotos suban archivos de imagen arbitrarios mediante vectores sin especificar. The Ultimate Member plugin for WordPress is vulnerable to unrestricted file uploads in versions prior to version 2.0.4. This makes it possible for authenticated attackers to upload arbitrary image files via unspecified vectors. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0590 – Ultimate Member < 2.0.4 - Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2018-0590
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors. El plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress permite que los atacantes remotos autenticados omitan la restricción de acceso para modificar los perfiles de los otros usuarios mediante vectores sin especificar. The Ultimate Member plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions prior to version 2.0.4. This is due to bypass access restriction via unspecified vectors. This makes it possible for authenticated attackers to modify the other users profiles via unspecified vectors. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10234 – Ultimate Member <= 2.0.10 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-10234
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page. Existe Cross-Site Scripting (XSS) autenticado en el plugin User Profile Membership, en versiones anteriores a la 2.0.11 para WordPress, mediante el campo de entrada "Account Deletion Custom Text" en la página wp-admin/admin.php?page=um_optionssection=account. • https://github.com/RiieCco/write-ups/tree/master/CVE-2018-10234 https://wordpress.org/plugins/ultimate-member/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10233 – Ultimate Member <= 2.0.6 - Multiple Cross-Site Request Forgery Issues
https://notcve.org/view.php?id=CVE-2018-10233
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin. El plugin User Profile Membership, en versiones anteriores a la 2.0.7 para WordPress, no tiene ninguna mitigación implementada contra ataques de Cross-Site Request Forgery (CSRF). Este problema está presente en todo el plugin. • https://github.com/RiieCco/write-ups/tree/master/CVE-2018-10233 https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9611 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6944 – Ultimate Member <= 2.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-6944
core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable. core/lib/upload/um-file-upload.php en el plugin UltimateMember 2.0 para WordPress tiene una vulnerabilidad de Cross-Site Scripting (XSS) debido a que fracasa a la hora de sanear las entradas del usuario que se pasan a la variable $temp. WordPress UltimateMember plugin version 2.0 suffers from multiple cross site scripting vulnerabilities. • https://packetstormsecurity.com/files/146403/WordPress-UltimateMember-2.0-Cross-Site-Scripting.html https://wpvulndb.com/vulnerabilities/9705 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •