Ultimate Member <= 2.0.53 – Cross-Site Scripting (XSS) | CVE 2019-14945

Affects Plugins

ultimate-member

Fixed in 2.0.54

References

CVE

CVE-2019-14945

URL

https://plugins.trac.wordpress.org/changeset/2126761/ultimate-member

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Submitter

Ryan Dewhurst

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

e68c8f73-429e-423b-884e-d03b24142d14

Timeline

Publicly Published

2019-07-22 (about 6 years ago)

Added

2019-08-13 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2014-08-01

Title

Widget Control Powered By Everyblock 1.0.1 - wp-admin/admin.php idDropdown Parameter XSS Weakness

Published

2014-08-01

Title

Xorbin Analog Flash Clock 1.0 - Flash-based XSS

Published

2021-11-03

Title

WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting

Published

2023-10-16

Title

Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping

Published

2024-04-22

Title

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory < 2.3.49 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode