9.8
CVE-2023-3460
- EPSS 69.6%
- Veröffentlicht 04.07.2023 08:15:10
- Zuletzt bearbeitet 21.11.2024 08:17:19
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginUltimate Member < 2.6.7 - Unauthenticated Privilege Escalation
Ultimate Member <= 2.6.6 - Privilege Escalation via Arbitrary User Meta Updates
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Mögliche Gegenmaßnahme
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin: Update to version 2.6.7, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ultimatemember ≫ Ultimate Member SwPlatformwordpress Version < 2.6.7
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Version
*-2.6.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 69.6% | 0.993 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b0e763e-f03e-41fb-8c6c-4de5d3acae00