CVE-2022-3383
published 2022-11-29CVE-2022-3383: The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback…
PriorityP344high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.78%
84.6th percentile
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultimatemember | ultimate_member | <= 2.5.0 | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j2mc-g8cr-m8pq: The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2
ghsa_unreviewed·2022-11-29
CVE-2022-3383 [HIGH] CWE-94 GHSA-j2mc-g8cr-m8pq: The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.
Red Hat
kernel: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
vendor_redhat·2025-09-15·CVSS 5.5
CVE-2022-50334 [MEDIUM] CWE-476 kernel: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
kernel: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
In the Linux kernel, the following vulnerability has been resolved:
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
Syzkaller reports a null-ptr-deref bug as follows:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380
[...]
Call Trace:
vfs_parse_fs_param fs/fs_context.c:148 [inline]
vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129
vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191
generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231
do_new_mount fs/namespace.c:3036 [inline]
path_mount+0x12de/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/name
No detection rules found.
No public exploits indexed.
https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.mdhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/ed28fe16-0835-4e94-a30e-305e7ba03740?source=cvehttps://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3383https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3ehttps://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.mdhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail=https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3383https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3e
2022-11-29
Published