Ultimatemember Ultimate Member vulnerabilities
37 known vulnerabilities affecting ultimatemember/ultimate_member.
Total CVEs
37
CISA KEV
0
Public exploits
3
Exploited in wild
4
Severity breakdown
CRITICAL4HIGH8MEDIUM25
Vulnerabilities
Page 2 of 2
CVE-2020-36170P4MEDIUMCVSS 5.3fixed in 2.1.132021-01-06
CVE-2020-36170 [MEDIUM] CVE-2020-36170: The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in
The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms.
nvd
CVE-2018-17866P4MEDIUMCVSS 6.1fixed in 2.0.282018-10-09
CVE-2018-17866 [MEDIUM] CWE-79 CVE-2018-17866: Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ul
Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.
nvd
CVE-2018-13136P4MEDIUMCVSS 6.1fixed in 2.0.182018-07-04
CVE-2018-13136 [MEDIUM] CWE-79 CVE-2018-13136: The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin
The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.
nvd
CVE-2016-10872P4MEDIUMCVSS 6.1fixed in 1.3.402019-08-12
CVE-2016-10872 [MEDIUM] CWE-79 CVE-2016-10872: The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.
The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.
nvd
CVE-2021-24306P4MEDIUMCVSS 5.4fixed in 2.1.202021-05-24
CVE-2021-24306 [MEDIUM] CWE-79 CVE-2021-24306: The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin be
The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit th
nvd
CVE-2024-2765P4MEDIUMCVSS 5.4fixed in 2.8.52024-05-02
CVE-2024-2765 [MEDIUM] CWE-79 CVE-2024-2765: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for a
nvd
CVE-2015-9304P4MEDIUMCVSS 6.1fixed in 1.3.182019-08-12
CVE-2015-9304 [MEDIUM] CWE-79 CVE-2015-9304: The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.
The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.
nvd
CVE-2019-14947P4MEDIUMCVSS 5.4fixed in 2.0.522019-08-12
CVE-2019-14947 [MEDIUM] CWE-79 CVE-2019-14947: The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
nvd
CVE-2022-1208P4MEDIUMCVSS 5.4≤ 2.3.22022-06-13
CVE-2022-1208 [MEDIUM] CWE-79 CVE-2022-1208: The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biogra
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and inclu
nvd
CVE-2019-14946P4MEDIUMCVSS 5.4fixed in 2.0.522019-08-12
CVE-2019-14946 [MEDIUM] CWE-79 CVE-2019-14946: The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit o
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.
nvd
CVE-2024-8519P4MEDIUMCVSS 5.4fixed in 2.8.72024-10-04
CVE-2024-8519 [MEDIUM] CWE-79 CVE-2024-8519: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping on user supplied attributes.
nvd
CVE-2018-20965P4MEDIUMCVSS 6.1fixed in 2.0.42019-08-12
CVE-2018-20965 [MEDIUM] CWE-79 CVE-2018-20965: The ultimate-member plugin before 2.0.4 for WordPress has XSS.
The ultimate-member plugin before 2.0.4 for WordPress has XSS.
nvd
CVE-2018-0585P4MEDIUMCVSS 5.4fixed in 2.0.42018-05-14
CVE-2018-0585 [MEDIUM] CWE-79 CVE-2018-0585: Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress al
Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2019-14945P4MEDIUMCVSS 5.4fixed in 2.0.542019-08-12
CVE-2019-14945 [MEDIUM] CWE-79 CVE-2019-14945: The ultimate-member plugin before 2.0.54 for WordPress has XSS.
The ultimate-member plugin before 2.0.54 for WordPress has XSS.
nvd
CVE-2024-10528P4MEDIUMCVSS 4.3fixed in 2.9.02024-11-21
CVE-2024-10528 [MEDIUM] CWE-862 CVE-2024-10528: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it p
nvd
CVE-2019-10271P4MEDIUMCVSS 4.3fixed in 2.0.402019-06-24
CVE-2019-10271 [MEDIUM] CVE-2019-10271: An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized pro
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for exa
nvd
CVE-2024-8520P4MEDIUMCVSS 4.3fixed in 2.8.72024-10-04
CVE-2024-8520 [MEDIUM] CWE-352 CVE-2024-8520: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for
nvd
← Previous2 / 2