Description

An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for example) intercept an upload-picture request and modify the user_id parameter.

Remediation

References

CVE-2019-10271

Related Vulnerabilities

PHP Numeric Errors Vulnerability (CVE-2015-4022)

WordPress Plugin Classified Listing Store & Membership Cross-Site Scripting (1.4.19)

MySQL CVE-2019-2644 Vulnerability (CVE-2019-2644)

WordPress Plugin Contact Form 7 Style Cross-Site Request Forgery (3.2)

WordPress Plugin FormLift for Infusionsoft Web Forms SQL Injection (7.5.17)

Severity

Medium

Classification

CVE-2019-10271 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities