RSS   Vulnerabilities for 'User profile & membership'   RSS

2018-05-14
 
CVE-2018-0590

CWE-noinfo
 
 
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.

 
 
CVE-2018-0589

CWE-noinfo
 
 
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.

 
 
CVE-2018-0588

CWE-22
 
 
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors.

 
 
CVE-2018-0587

CWE-434
 
 
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.

 
 
CVE-2018-0586

CWE-22
 
 
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.

 
2018-04-23
 
CVE-2018-10234

CWE-79
 
 
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.

 
 
CVE-2018-10233

CWE-352
 
 
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.

 

 >>> Vendor: Ultimatemember 4 Products
Ultimate member
Ultimatemember
User profile & membership
Jobboardwp

Copyright 2024, cxsecurity.com

 

Back to Top