9.3
CVE-2019-10673
- EPSS 1.82%
- Veröffentlicht 03.04.2019 05:29:00
- Zuletzt bearbeitet 21.11.2024 04:19:43
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginUltimate Member <= 2.0.39 - Cross-Site Request Forgery
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form.
Mögliche Gegenmaßnahme
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin: Update to version 2.0.40, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ultimatemember ≫ Ultimate Member SwPlatformwordpress Version < 2.0.40
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Version
[*, 2.0.40)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.82% | 0.759 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
http://packetstormsecurity.com/files/152315/WordPress-Ultimate-Member-2.0.38-Cross-Site-Request-Forgery.html
https://wpvulndb.com/vulnerabilities/9250
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa0881ab-d731-4e57-8323-c49b9306bf50