Description

The Ultimate Member plugin for WordPress is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1 granted the victim clicks on a social icon on a user's profile page.

Remediation

References

CVE-2022-1209

Related Vulnerabilities

WordPress 3.8.x Cross-Site Scripting Vulnerability (3.8 - 3.8.11)

Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.6)

Oracle Database Server Other Vulnerability (CVE-2001-0833)

Microsoft SQL Server Other Vulnerability (CVE-2000-0199)

WordPress Plugin Welcart e-Commerce Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities (1.2.1)

Severity

Medium

Classification

CVE-2022-1209 CWE-601 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities