Description
WordPress Plugin Ultimate Member-User Profile, User Registration, Login & Membership is prone to an open redirect vulnerability because the application fails to properly verify user-supplied input. Exploiting this issue may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks; other attacks are also possible. WordPress Plugin Ultimate Member-User Profile, User Registration, Login & Membership version 2.1.6 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.1.7 or latest
References
https://wordpress.org/support/topic/redirect_to-in-querystring-vulnerability/
https://plugins.svn.wordpress.org/ultimate-member/trunk/readme.txt
Related Vulnerabilities
WordPress Plugin iThemes Security (formerly Better WP Security) Unspecified Vulnerability (6.9.0)
WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.4.37.727)
Joomla! Core Multiple Vulnerabilities (2.5.0 - 3.9.2)
WordPress Plugin Media from FTP Directory Traversal (9.85)
WordPress Plugin Multiplayer Games Cross-Site Scripting (3.7)