Description

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was partially fixed in version 2.3.2 then subsequently fully patched in version 2.3.3.

Remediation

References

CVE-2022-1208

Related Vulnerabilities

WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)

Ruby on Rails Uncontrolled Resource Consumption Vulnerability (CVE-2020-8185)

PHP Improper Input Validation Vulnerability (CVE-2021-21705)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-1758)

WordPress Plugin Ultimate GDPR & CCPA Compliance Toolkit for WordPress Security Bypass (2.4)

Severity

Medium

Classification

CVE-2022-1208 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities