CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0586 – Ultimate Member <= 2.0.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-0586
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors. Existe una vulnerabilidad de salto de directorio en la función shortcodes en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que atacantes autenticados lean archivos arbitrarios mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0589 – Ultimate Member <= 2.0.3 - Improper Access Control
https://notcve.org/view.php?id=CVE-2018-0589
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors. El plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress permite que los atacantes remotos autenticados omitan la restricción de acceso para añadir un nuevo formulario en la página "Forms" mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0588 – Ultimate Member <= 2.0.39 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-0588
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en la función AJAX en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que atacantes remotos lean archivos arbitrarios mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0587 – Ultimate Member < 2.0.4 - Authenticated Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2018-0587
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors. Vulnerabilidad de subida de archivos sin restricción en el plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress que permite que usuarios autenticados remotos suban archivos de imagen arbitrarios mediante vectores sin especificar. The Ultimate Member plugin for WordPress is vulnerable to unrestricted file uploads in versions prior to version 2.0.4. This makes it possible for authenticated attackers to upload arbitrary image files via unspecified vectors. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0590 – Ultimate Member < 2.0.4 - Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2018-0590
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors. El plugin Ultimate Member en versiones anteriores a la 2.0.4 para WordPress permite que los atacantes remotos autenticados omitan la restricción de acceso para modificar los perfiles de los otros usuarios mediante vectores sin especificar. The Ultimate Member plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions prior to version 2.0.4. This is due to bypass access restriction via unspecified vectors. This makes it possible for authenticated attackers to modify the other users profiles via unspecified vectors. • http://jvn.jp/en/jp/JVN28804532/index.html https://wordpress.org/plugins/ultimate-member/#developers https://wpvulndb.com/vulnerabilities/9608 • CWE-639: Authorization Bypass Through User-Controlled Key •