WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Member < 2.5.1 - Admin+ RCE

Description

The plugin does not validate user input passed to call_user_func() via the get_option_value_from_callback() function, which could allow high privilege users to perform RCE even when they are not allowed to (for example in multisite setup)

Affects Plugins

ultimate-member
Fixed in version 2.5.1

References

CVE
CVE-2022-3383

Classification

Type

TRAVERSAL

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher

Ruijie Li

Verified

No

WPVDB ID
20fd0da4-ee1a-4557-aee5-77953879b93c

Timeline

Publicly Published

2022-10-28 (about 3 months ago)

Added

2022-10-30 (about 3 months ago)

Last Updated

2022-10-30 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin