CRITICAL🇬🇧 English

CVE-2020-36156

CVSS 9.9v3.1pub. 2021-01-04upd. 2024-11-21

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page could supply the parameter um-role with a value set to any role (e.g., Administrator) during a profile update, and effectively escalate their privileges.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Ultimatemember Ultimate Member

    APP
    Ultimatemember
    < 2.1.12
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
LPE
CWE
Referencje

Powiązane podatności

CVE-2024-1071CRITICAL9.8PL ✓ten sam produkt

SQL Injection w pluginie Ultimate Member dla WordPress (CVE-2024-1071)

CVE-2023-3460CRITICAL9.8ten sam produkt

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with a...

CVE-2020-36157CRITICAL10.0ten sam produkt

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privile...

CVE-2020-36155CRITICAL10.0ten sam produkt

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privile...

CVE-2025-0308HIGH7.5ten sam produkt

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pl...