WordPress Plugin Vulnerabilities

Ultimate Member < 2.5.1 - Admin+ LFI via Traversal

Description

The plugin does not validate and sanitize the pack parameter before using it in an include statement, which could allow high privilege users to perform local file inclusion attacks via a Traversal vector

Affects Plugins

ultimate-member

Fixed in version 2.5.1

References

CVE

CVE-2022-2445

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Original Researcher

Ruijie Li

Verified

WPVDB ID

89b6e16a-0a7b-4864-a755-8d6586524b79

Timeline

Publicly Published

2022-10-28 (about 3 months ago)

Added

2022-10-30 (about 3 months ago)

Last Updated

2022-10-30 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin