CVE-2022-3384

CVSS V2 None CVSS V3 None
Description
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.
Overview
  • CVE ID
  • CVE-2022-3384
  • Assigner
  • security@wordfence.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-11-29T21:15:11.067
  • Last Modified Date
  • 2022-12-01T20:28:08.203
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* 1 OR 2.5.0
History
Created Old Value New Value Data Type Notes
2022-12-07 18:05:32 Added to TrackCVE