Ultimate Member 2.39 Unauthorized profile modification

2019.06.18

Clément Cruchet (CA)

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2019-10271

CWE: CWE-269

Ogólna skala CVSS: 4/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 8/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Jednorazowa

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

#### [CVE-2019-10271] Ultimate Member 2.39 Unauthorized profile modification
#### Description ####
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. As a connected and authenticated user it is possible to modify the profile and cover picture of any user. It is also possible to modify the profiles and cover pictures of privileged users as admin user.
#### Timeline (dd/mm/yyyy) ####
++ 12/03/2019 : Initial discovery
++ 13/03/2019 : First contact attempt (email)
++ 13/03/2019 : Response from editor
++ 26/03/2019 : Technical details sent to the editor
++ 26/03/2019 : Reply: fix planned for release 2.40
++ 15/06/2019 : Release of the advisory
#### Fixes Upgrade to Ultimate Member 2.40 ####
#### Affected versions ####
++ Versions up to 2.39
#### Credits ####
++ Clément CRUCHET <lutzenfried@proton.com>
#### Reference ####
++ https://ultimatemember.com/

Referencje:

https://ultimatemember.com/

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ultimate Member 2.39 Unauthorized profile modification

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.