WordPress Ultimate Member Plugin <= 2.1.2 Multiple Insecure Direct Object Reference Vulnerabilities

Published: 2020-01-20 12:33:35
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Detection Type:
Remote Banner

Solution Type:
None Available

Summary:
The WordPress plugin Ultimate Member is prone to multiple Insecure Direct Object Reference vulnerabilities.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
The vulnerabilities reside in includes/core/class-files.php.

Impact:
Successful exploitation would allow a remote attacker to change other users' profiles and cover photos via a modified user_id parameter.

Affected Versions:
WordPress Ultimate Member plugin through version 2.1.2.

Recommendations:
No known solution is available as of 20th January, 2020. Information regarding this issue will be updated once solution details are available.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2020-6859

References:

https://wordpress.org/plugins/ultimate-member/#developers

Search
Severity
Medium
CVSS Score
6.4

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.