Description

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was partially fixed in version 2.3.2 then subsequently fully patched in version 2.3.3.

Remediation

References

CVE-2022-1208

Related Vulnerabilities

WordPress 5.9.x Multiple Vulnerabilities (5.9 - 5.9.4)

WordPress Plugin FV Flowplayer Video Player Cross-Site Request Forgery (7.5.30.7210)

Apache Tomcat Other Vulnerability (CVE-2000-1210)

WordPress Plugin Bulk Delete Users by Email Cross-Site Request Forgery (1.0)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-6455)

Severity

Medium

Classification

CVE-2022-1208 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities