CVE-2019-10673
Summary
| CVE | CVE-2019-10673 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-03 05:29:00 UTC |
| Updated | 2020-03-16 09:15:00 UTC |
| Description | A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ultimatemember | Ultimate Member | All | All | All | All |
| Application | Ultimatemember | Ultimate Member | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Ultimate Member < 2.0.40 - Cross-Site Request Forgery (CSRF) | MISC | wpvulndb.com | |
| WordPress Ultimate Member 2.0.38 Cross Site Request Forgery ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.