← Back

User Meta

user-meta

3 CVEs • 2 products

Products (2)

Click to collapse
Toggle

CVEs (3)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1User Meta
1User Meta Manager
Jun 17, 2026
May 22, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in User Meta Manager plugin <= 3.4.9 versions.
1User Meta
1User Meta User Profile Builder And User Management
Jun 17, 2026
Jun 8, 2022
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the...Show more
The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloadsShow less
1User Meta
1User Meta User Profile Builder And User Management
Jun 17, 2026
May 30, 2022
N/A· v4
4.8 MEDIUM· v3
3.5 LOW· v2
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege u...Show more
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedShow less