N/A

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

N/A

WordPress 安全漏洞

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。Ultimate Member plugin是使用在其中的一款用于创建会员网站或在线社区的插件。 Ultimate Member plugin before 2.1.12 for WordPress 存在安全漏洞，攻击者可利用该漏洞可以为敏感元数据提供数组参数。

N/A

N/A