Ultimate Member < 2.0.52 – CSRF and Stored XSS issues | CVE 2019-14946 | Plugin Vulnerabilities

Description

A CSRF vulnerability in adding/editing user roles in Ultimate Member 2.0.49. It also lead to stored XSS.

Edit (WPScanTeam):
July 9th, 2019 - v2.0.50 released and still affected. Escalated to WP Plugins Team
July 9th, 2019 - v2.0.51 released, fixing the CSRF but not the XSS
July 11th, 2019 - Escalated again to WP Plugins team, as another XSS was reported on June 24th, 2019 (https://github.com/ultimatemember/ultimatemember/issues/578) and was still unfixed.
July 11th - v2.0.52 released fixing both XSS

Proof of Concept

Video POC : https://drive.google.com/file/d/1wz846fP9rB97PlRSlC4xHYW_Q5QJXK4s/view?usp=sharing

csrf-um.html : https://drive.google.com/file/d/1p6Rzw3ts7RASP4X7H8v2CI3TIXPVwVn1/view?usp=sharing

Affects Plugins

ultimate-member

Fixed in 2.0.52

References

CVE

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

m0ns7er

Submitter

Akash Labade

Submitter website

https://www.asfaleia.tech

Submitter twitter

Verified

Yes

WPVDB ID

fe9a9ae7-b547-4ac3-b309-93ab37d68112

Timeline

Publicly Published

2019-06-24 (about 6 years ago)

Added

2019-07-11 (about 6 years ago)

Last Updated

2020-08-12 (about 5 years ago)

Other

Published

Title

Published

2024-06-06

Title

WP Docs < 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-25

Title

WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header

Published

2023-12-20

Title

Limit Login Attempts Reloaded < 2.25.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-02-13

Title

Elfsight Yottie Lite <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-12-29

Title

Genesis Columns Advanced < 2.0.4 - Contributor+ Stored XSS via Shortcode