Description

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

Remediation

References

CVE-2018-17866

Related Vulnerabilities

PHP Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2011-0753)

WordPress Plugin Drag & Drop File Uploader 'dnd-upload.php' Arbitrary File Upload (0.1)

Resin Application Server Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2969)

Django Improper Input Validation Vulnerability (CVE-2019-3498)

Craft CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-14280)

Severity

Medium

Classification

CVE-2018-17866 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities