cbcvebase.
CVE-2022-1208
published 2022-06-13

CVE-2022-1208: The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to…

PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.87%
54.3th percentile
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was only partially fixed in version 2.3.2.

Affected

1 ranges
VendorProductVersion rangeFixed in
ultimatememberultimate_member<= 2.3.2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.