The second critical vulnerability was discovered in the version 2.5.0 of Ultimate Member Plugin. A cross-site scripting issue was found in the file features/admin/include/advanced-settings.php. The attacker may lure the user to open a specially crafted link via direct message or via email. The malicious script may inject arbitrary web script or HTML. An attacker may leverage this vulnerability to steal cookie information, login credentials, or execute server commands. A fix for this problem was released in version 2.5.2. The update addresses the issue CVE-2018-1163. The identifier VDB-213546 was assigned to this vulnerability. The information about the vulnerability and the fix can be found on the plugin’s homepage.
With the help of these issues, attackers may conduct a variety of attacks, including phishing, session hijacking, cross-site request forgery, information disclosure, or remote code execution.

Vulnerable Software and Resolved Issues

Ultimate Member 2.5.0 was vulnerable to a cross-site scripting attack and an information disclosure vulnerability.
The first critical vulnerability was discovered in the version 2.5.0 of Ultimate Member Plugin, a WordPress plugin for building membership sites with custom profiles, logins, and more. A cross-site scripting issue was found in the file features/admin/include/advanced-settings.php. The attacker may lure the user to open a specially crafted link via direct message or via email. The malicious script may inject arbitrary web script or HTML. An attacker may leverage this vulnerability to steal cookie information, login credentials, or execute server commands. A fix for this problem was released in version 2.5.2 and addresses the issue CVE-2018-1163 .

The vulnerability was discovered in the Ultimate Member Plugin v2.5.0. To update the plugin, please upgrade to version 2.5.2 or higher.

Timeline

Published on: 11/13/2022 08:15:00 UTC
Last modified on: 11/17/2022 17:18:00 UTC

References