Ultimate Member 2.39 Unauthorized profile modification

2019.06.18
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-269


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

#### [CVE-2019-10271] Ultimate Member 2.39 Unauthorized profile modification #### Description #### An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. As a connected and authenticated user it is possible to modify the profile and cover picture of any user. It is also possible to modify the profiles and cover pictures of privileged users as admin user. #### Timeline (dd/mm/yyyy) #### ++ 12/03/2019 : Initial discovery ++ 13/03/2019 : First contact attempt (email) ++ 13/03/2019 : Response from editor ++ 26/03/2019 : Technical details sent to the editor ++ 26/03/2019 : Reply: fix planned for release 2.40 ++ 15/06/2019 : Release of the advisory #### Fixes Upgrade to Ultimate Member 2.40 #### #### Affected versions #### ++ Versions up to 2.39 #### Credits #### ++ Clément CRUCHET <lutzenfried@proton.com> #### Reference #### ++ https://ultimatemember.com/

References:

https://ultimatemember.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top