Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Ultimate Member by Unknown

    CVE-2023-3460 (GCVE-0-2023-3460)

    Vulnerability from nvd – Published: 2023-07-04 07:23 – Updated: 2024-11-25 16:47
    VLAI
    Title
    Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
    Summary
    The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Ultimate Member Affected: 0 , < 2.6.7 (custom)
    Create a notification for this product.
    Credits
    Unknown Marc Montpas WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3460",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T16:47:09.186881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T16:47:17.644Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Ultimate Member",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.6.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Unknown"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Marc Montpas"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T07:23:28.852Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7"
            },
            {
              "url": "https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Ultimate Member \u003c 2.6.7 - Unauthenticated Privilege Escalation",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-3460",
        "datePublished": "2023-07-04T07:23:28.852Z",
        "dateReserved": "2023-06-29T13:45:40.301Z",
        "dateUpdated": "2024-11-25T16:47:17.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3460 (GCVE-0-2023-3460)

    Vulnerability from cvelistv5 – Published: 2023-07-04 07:23 – Updated: 2024-11-25 16:47
    VLAI
    Title
    Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
    Summary
    The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Ultimate Member Affected: 0 , < 2.6.7 (custom)
    Create a notification for this product.
    Credits
    Unknown Marc Montpas WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.501Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3460",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T16:47:09.186881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T16:47:17.644Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Ultimate Member",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.6.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Unknown"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Marc Montpas"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T07:23:28.852Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7"
            },
            {
              "url": "https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Ultimate Member \u003c 2.6.7 - Unauthenticated Privilege Escalation",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-3460",
        "datePublished": "2023-07-04T07:23:28.852Z",
        "dateReserved": "2023-06-29T13:45:40.301Z",
        "dateUpdated": "2024-11-25T16:47:17.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }