CVE-2022-3383
CVSS V2 None
CVSS V3 None
Description
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.
Overview
- CVE ID
- CVE-2022-3383
- Assigner
- security@wordfence.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-29T21:15:10.987
- Last Modified Date
- 2022-12-01T20:14:55.393
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* | 1 | OR | 2.5.0 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.md | Exploit Third Party Advisory |
| https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail= | Patch Third Party Advisory |
| https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3383 | Third Party Advisory |
| https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3e | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-3383 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3383 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-07 18:05:31 | Added to TrackCVE |