WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin Ultimate Membership Pro Security Bypass (8.6)

Description

WordPress Plugin Ultimate Membership Pro is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently generate an export containing PII (username, email address, IP address, User-Agent and so on), as well as generate authentication links by suppling an ID or Username. WordPress Plugin Ultimate Membership Pro version 8.6 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 8.6.1 or latest

References

https://blog.wpscan.org/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Related Vulnerabilities

WordPress Plugin Ad Invalid Click Protector (AICP) Malicious Code (1.2.9)

WordPress Plugin Pinterest 'Pin It' Button Multiple Unspecified Vulnerabilities (1.3.1)

WordPress Plugin Woocommerce User Email Verification Security Bypass (3.3.0)

WordPress Plugin Contact Form to DB by BestWebSoft-Messages Database For WordPress Cross-Site Scripting (1.5.6)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11620)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass