CVE-2022-3361

2022-11-2921:15:10

CWE-22

[email protected]

web.nvd.nist.gov

wordpress plugin

directory traversal

input validation

shortcodes

remote code execution

administrative privileges

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.003

Percentile

69.4%

JSON

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘template’ attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (…/…/) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.

Affected configurations

Nvd

Node

ultimatememberultimate_memberRange≤2.5.0wordpress

VendorProductVersionCPE
ultimatememberultimate_member*cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
ultimatemember	ultimate_member	*	cpe:2.3:a:ultimatemember:ultimate_member::::::wordpress::*

References

github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3361.md

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail=

www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3361

www.yuque.com/docs/share/23f988ad-1402-42f2-b8d2-c7a87a4022bd