← Back

User Profile & Membership

user_profile_&_membership

Vendor: Ultimatemember • 7 CVEs

CVEs (7)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2018-0590
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
May 14, 2018
N/A· v4
4.3 MEDIUM· v3
4.0 MEDIUM· v2
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.
CVE-2018-0589
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
May 14, 2018
N/A· v4
4.3 MEDIUM· v3
4.0 MEDIUM· v2
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.
CVE-2018-0588
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
May 14, 2018
N/A· v4
7.5 HIGH· v3
6.4 MEDIUM· v2
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2018-0587
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
May 14, 2018
N/A· v4
4.3 MEDIUM· v3
4.0 MEDIUM· v2
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.
CVE-2018-0586
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
May 14, 2018
N/A· v4
4.3 MEDIUM· v3
4.0 MEDIUM· v2
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.
CVE-2018-10234
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
Apr 23, 2018
N/A· v4
4.8 MEDIUM· v3
3.5 LOW· v2
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account p...Show more
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.Show less
CVE-2018-10233
1Ultimatemember
1User Profile & Membership
Nov 21, 2024
Apr 23, 2018
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.