Vulnerability Description
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ultimatemember | Ultimate Member | < 2.0.40 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/152315/WordPress-Ultimate-Member-2.0.38-CroExploitThird Party AdvisoryVDB Entry
- https://wpvulndb.com/vulnerabilities/9250
- http://packetstormsecurity.com/files/152315/WordPress-Ultimate-Member-2.0.38-CroExploitThird Party AdvisoryVDB Entry
- https://wpvulndb.com/vulnerabilities/9250
FAQ
What is CVE-2019-10673?
CVE-2019-10673 is a vulnerability with a CVSS score of 8.8 (HIGH). A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information a...
How severe is CVE-2019-10673?
CVE-2019-10673 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10673?
Check the references section above for vendor advisories and patch information. Affected products include: Ultimatemember Ultimate Member.