Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Remediation

References

CVE-2024-2765

Related Vulnerabilities

WordPress Plugin Nested Pages Multiple Vulnerabilities (3.1.15)

WordPress Plugin Amelia-Events & Appointments Booking Calendar Cross-Site Scripting (1.0.46)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-17671)

WordPress Plugin MoodThingy Mood Rating Widget SQL Injection (0.9.1)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-9839)

Severity

Medium

Classification

CVE-2024-2765 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities