Ultimate Member < 2.9.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update | CVE 2024-10528 | Plugin Vulnerabilities

Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users.

Affects Plugins

ultimate-member

Fixed in 2.9.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0a9793b6-2186-46ef-b204-d8f8f154ebf3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

tiborisaak

Verified

No

WPVDB ID

54a53b30-4249-4559-85f8-7aeac2dc0df2

Timeline

Publicly Published

2024-11-20 (about 1 year ago)

Added

2024-11-20 (about 1 year ago)

Last Updated

2024-11-21 (about 1 year ago)

Other

Published

Title

Published

2024-01-17

Title

WooCommerce Subscriptions < 5.8.0 - Missing Authorization

Published

2025-12-13

Title

Ultimate Addons for Contact Form 7 < 3.5.35 - Missing Authorization

Published

2024-11-25

Title

Booking & Appointment Plugin for WooCommerce < 6.10.0 - Subscriber+ Arbitrary Option Update

Published

2025-05-19

Title

Legal Pages < 1.4.6 - Missing Authorization

Published

2024-04-22

Title

SchedulePress < 5.0.9 - Missing Authorization