Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Ultimate Member Plugin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-17866)

Description

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

Remediation

References

Related Vulnerabilities

WordPress Plugin Slider Hero with Animation, Video Background SQL Injection (8.2.6)

Squid CVE-2019-12523 Vulnerability (CVE-2019-12523)

WordPress Plugin Rating-Widget:Star Review System Cross-Site Scripting (2.8.8)

Oracle JRE CVE-2013-2464 Vulnerability (CVE-2013-2464)

WordPress Plugin Analyticator Cross-Site Request Forgery (6.4.9.3)

Severity

Medium

Classification

CVE-2018-17866 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities