Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.
References
| Link | Resource |
|---|---|
| https://serhack.me/articles/ultimate-member-xss-security-issue | Exploit Third Party Advisory |
| https://wordpress.org/plugins/ultimate-member/#developers | Product Release Notes Third Party Advisory |
| https://wpvulndb.com/vulnerabilities/9615 | |
| https://serhack.me/articles/ultimate-member-xss-security-issue | Exploit Third Party Advisory |
| https://wordpress.org/plugins/ultimate-member/#developers | Product Release Notes Third Party Advisory |
| https://wpvulndb.com/vulnerabilities/9615 |
Configurations
History
21 Nov 2024, 03:55
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://serhack.me/articles/ultimate-member-xss-security-issue - Exploit, Third Party Advisory | |
| References | () https://wordpress.org/plugins/ultimate-member/#developers - Product, Release Notes, Third Party Advisory | |
| References | () https://wpvulndb.com/vulnerabilities/9615 - |
Information
Published : 2018-10-09 22:29
Updated : 2024-11-21 03:55
NVD link : CVE-2018-17866
Mitre link : CVE-2018-17866
CVE.ORG link : CVE-2018-17866
JSON object : View
Products Affected
ultimatemember
- ultimate_member
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')