Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Remediation
References
Related Vulnerabilities
Joomla! Core 3.x.x SQL Injection (3.0.0 - 3.9.22)
MySQL CVE-2022-21303 Vulnerability (CVE-2022-21303)
Oracle JRE CVE-2022-21305 Vulnerability (CVE-2022-21305)
WordPress Plugin Abandoned Cart Lite for WooCommerce Security Bypass (5.14.2)
WordPress Plugin Google Analytics Top Content Widget Cross-Site Scripting (1.5.6)