Description

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was partially fixed in version 2.3.2 then subsequently fully patched in version 2.3.3.

Remediation

References

CVE-2022-1208

Related Vulnerabilities

Oracle Application Server CVE-2009-3412 Vulnerability (CVE-2009-3412)

WordPress Plugin Default Thumbnail Plus Arbitrary File Upload (1.0.2.3)

WordPress Plugin VikRentCar Car Rental Management System Cross-Site Scripting (1.1.9)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-7837)

WordPress Plugin Shared Files-Easy Download Manager and File Sharing with Frontend File Upload Cross-Site Scripting (1.6.56)

Severity

Medium

Classification

CVE-2022-1208 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities