Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveWordfenceCVE-2022-1208
HistoryJun 13, 2022 - 1:15 p.m.

CVE-2022-1208

2022-06-1313:15:10
Wordfence
web.nvd.nist.gov
81
4
cve-2022-1208
vulnerability
wordpress
ultimate member
stored xss
biogaphy field

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

49.8%

JSON

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was only partially fixed in version 2.3.2.

Affected configurations

Nvd
Vulners
Node
ultimatememberultimate_memberRange≀2.3.2wordpress
VendorProductVersionCPE
ultimatememberultimate_member*cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "vendor": "ultimatemember",
    "product": "Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.3.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Social References

More

Related

wpvulndb 1
prion 1
cvelist 1
patchstack 1
cnvd 1
osv 1
nvd 1
openvas 1
wpvulndb
wpvulndb
Ultimate Member < 2.4.0 - Subscriber+ Stored Cross-Site Scripting
2022-06-02 00:00:00
prion
prion
Cross site scripting
2022-06-13 13:15:00
cvelist
cvelist
CVE-2022-1208
2022-06-13 12:43:38
patchstack
patchstack
WordPress Ultimate Member plugin <= 2.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
2022-06-02 00:00:00
cnvd
cnvd
WordPress Ultimate Member pluginθ·¨η«™θ„šζœ¬ζΌζ΄ž
2022-06-15 00:00:00
osv
osv
CVE-2022-1208
2022-06-13 13:15:10
nvd
nvd
CVE-2022-1208
2022-06-13 13:15:10
openvas
openvas
WordPress Ultimate Member Plugin <= 2.3.2 XSS Vulnerability
2022-06-14 00:00:00

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

49.8%

JSON
Related for CVE-2022-1208
wpvulndb1prion1cvelist1patchstack1cnvd1osv1nvd1openvas1