Ultimate Member 2.39 Unauthorized profile modification

2019.06.18
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-269


Ogólna skala CVSS: 4/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

#### [CVE-2019-10271] Ultimate Member 2.39 Unauthorized profile modification #### Description #### An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. As a connected and authenticated user it is possible to modify the profile and cover picture of any user. It is also possible to modify the profiles and cover pictures of privileged users as admin user. #### Timeline (dd/mm/yyyy) #### ++ 12/03/2019 : Initial discovery ++ 13/03/2019 : First contact attempt (email) ++ 13/03/2019 : Response from editor ++ 26/03/2019 : Technical details sent to the editor ++ 26/03/2019 : Reply: fix planned for release 2.40 ++ 15/06/2019 : Release of the advisory #### Fixes Upgrade to Ultimate Member 2.40 #### #### Affected versions #### ++ Versions up to 2.39 #### Credits #### ++ Clément CRUCHET <lutzenfried@proton.com> #### Reference #### ++ https://ultimatemember.com/

Referencje:

https://ultimatemember.com/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top