CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 8CVE-2023-3460 – Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-3460
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few method like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator. • https://github.com/gbrsh/CVE-2023-3460 https://github.com/diego-tella/CVE-2023-3460 https://github.com/julienbrs/exploit-CVE-2023-3460 https://github.com/Rajneeshkarya/CVE-2023-3460 https://github.com/yon3zu/Mass-CVE-2023-3460 https://github.com/EmadYaY/CVE-2023-3460 https://github.com/rizqimaulanaa/CVE-2023-3460 https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 • CWE-266: Incorrect Privilege Assignment •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31216 – WordPress Ultimate Member Plugin <= 2.6.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-31216
Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. The Ultimate Member plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.0. This is due to missing or incorrect nonce validation on the duplicate_form function. This makes it possible for unauthenticated attackers to duplicate forms created with the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/ultimate-member/wordpress-ultimate-member-plugin-2-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3966 – Ultimate Member Plugin Template class-shortcodes.php load_template pathname traversal
https://notcve.org/view.php?id=CVE-2022-3966
A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0. This issue affects the function load_template of the file includes/core/class-shortcodes.php of the component Template Handler. The manipulation of the argument tpl leads to pathname traversal. The attack may be initiated remotely. Upgrading to version 2.5.1 is able to address this issue. • https://github.com/ultimatemember/ultimatemember/commit/e1bc94c1100f02a129721ba4be5fbc44c3d78ec4 https://github.com/ultimatemember/ultimatemember/releases/tag/2.5.1 https://vuldb.com/?id.213545 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-3361 – Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Contributor+) Directory Traversal via Shortcodes
https://notcve.org/view.php?id=CVE-2022-3361
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. El complemento Ultimate Member para WordPress es vulnerable al directory traversal en versiones hasta la 2.5.0 incluida debido a una validación de entrada insuficiente en el atributo 'template' utilizado en los shortcodes. • https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3361.md https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3361 https://www.yuque.com/docs/share/23f988ad-1402-42f2-b8d2-c7a87a4022bd • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-3383 – Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select
https://notcve.org/view.php?id=CVE-2022-3383
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. El complemento Ultimate Member para WordPress es vulnerable a la ejecución remota de código en versiones hasta la 2.5.0 incluida a través de la función get_option_value_from_callback que acepta la entrada proporcionada por el usuario y la pasa a través de call_user_func(). Esto hace posible que atacantes autenticados, con capacidades administrativas, ejecuten código en el servidor. • https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.md https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3383 https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3e • CWE-94: Improper Control of Generation of Code ('Code Injection') •