WordPress Plugin Vulnerabilities

Ultimate Member < 1.3.76 - Unauthenticated Change Passwords

Description

Ultimate Member versions below 1.3.76 contain a critical security issue that allows unauthenticated users to reset any users password to an arbitrary value

Affects Plugins

Plugin icon
ultimate-member
Fixed in 1.3.76

References

URL
https://www.pritect.net/blog/ultimate-member-1-3-76-critical-security-issue
URL
https://github.com/ultimatemember/ultimatemember/commit/c54e8d3c56027f1c87f62e54c722dc7c6e72f78a
URL
https://github.com/ultimatemember/ultimatemember/commit/b66c99bec200aec2eda5d53ebf8495e705933081

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.5 (high)

Miscellaneous

Submitter
James Golovich
Submitter website
https://pritect.net
Submitter twitter
Pritect
Verified
No
WPVDB ID
3bbcfb9d-d1d4-4979-9ff2-319b17a7d487

Timeline

Publicly Published
2016-12-06 (about 9 years ago)
Added
2016-12-08 (about 9 years ago)
Last Updated
2020-08-12 (about 5 years ago)

Other

Published
Title
Published
2021-10-20
Title
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
Published
2023-10-09
Title
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Published
2021-07-19
Title
RestroPress < 2.8.3.1 - Unauthorised AJAX Calls
Published
2022-01-03
Title
TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update
Published
2020-09-28
Title
WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure