The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Ultimatemember |
|
No data.
References
History
Fri, 04 Oct 2024 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ultimatemember
Ultimatemember ultimate Member |
|
| CPEs | cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* | |
| Vendors & Products |
Ultimatemember
Ultimatemember ultimate Member |
|
| Metrics |
ssvc
|
Fri, 04 Oct 2024 04:45:00 +0000
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-04T02:32:22.432Z
Updated: 2024-10-04T14:03:08.903Z
Reserved: 2024-09-06T14:54:51.269Z
Link: CVE-2024-8520
Vulnrichment
Updated: 2024-10-04T14:03:02.640Z
NVD
Status : Analyzed
Published: 2024-10-04T05:15:11.727
Modified: 2024-10-08T21:50:30.153
Link: CVE-2024-8520
Redhat
No data.