Ultimatemember ≫ Ultimate Member

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page could supply the parameter um-role with a value set to...

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that ...

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parame...

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the...