Description

The Ultimate Member plugin for WordPress is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1 granted the victim clicks on a social icon on a user's profile page.

Remediation

References

CVE-2022-1209

Related Vulnerabilities

Joomla Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-8045)

WordPress Plugin RestroPress-Online Food Ordering System Security Bypass (2.8.3)

WordPress Plugin 1-click Retweet/Share/Like Cross-Site Scripting (5.2)

Liferay Portal Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-5327)

MediaWiki Improper Access Control Vulnerability (CVE-2016-6336)

Severity

Medium

Classification

CVE-2022-1209 CWE-601 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities