cbcvebase.
CVE-2019-10673
published 2019-04-03

CVE-2019-10673: A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and…

PriorityP345high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
1.82%
76.0th percentile
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form.

Affected

2 ranges
VendorProductVersion rangeFixed in
fasterxmljackson-databind>= 0 < 2.4.2-3ubuntu0.1~esm22.4.2-3ubuntu0.1~esm2
ultimatememberultimate_member< 2.0.402.0.40

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.