Description
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.
Remediation
References
Related Vulnerabilities
Django CVE-2024-45230 Vulnerability (CVE-2024-45230)
WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.25)
MySQL CVE-2019-2593 Vulnerability (CVE-2019-2593)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-9775)
WordPress Plugin Poll, Survey, Questionnaire and Voting system SQL Injection (1.5.2)