Ultimate Member < 2.1.3 – Insecure Direct Object Reference (IDOR) | CVE 2020-6859

Affects Plugins

ultimate-member

Fixed in 2.1.3

References

CVE

CVE-2020-6859

URL

https://github.com/ultimatemember/ultimatemember/commit/249682559012734a4f7d71f52609b2f301ea55b1

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

4.3 (medium)

Miscellaneous

Verified

No

WPVDB ID

476ccf2e-13f3-4834-9a2e-380d3d3c6729

Timeline

Publicly Published

2020-01-13 (about 6 years ago)

Added

2020-01-22 (about 6 years ago)

Last Updated

2020-08-12 (about 5 years ago)

Other

Published

Title

Published

2023-03-06

Title

Multiple e-plugins - Subscriber+ Privilege Escalation

Published

2025-09-23

Title

Goodlayers Core < 2.1.7 - Authenticated (Contributor+) Privilege Escalation

Published

2023-08-21

Title

MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation

Published

2016-06-17

Title

Product Catalog <= 3.8.1 - Privilege Escalation

Published

2025-01-16

Title

DD Roles <= 4.1 - Authenticated (Subscriber+) Privilege Escalation