脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
脆弱性説明
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
脆弱性タイプ
授权机制缺失
脆弱性タイトル
Ultimate Member Ultimate Member授权问题漏洞
脆弱性説明
Ultimate Member Ultimate Member是Ultimate Member团队的一款用户会员管理插件。 Ultimate Member Ultimate Member2.11.4及之前版本存在授权问题漏洞,该漏洞源于一系列逻辑漏洞:MD5哈希回退、strstr()解析逻辑缺陷以及字段名验证缺失,可能导致经过身份验证的攻击者通过泄露密码重置链接实现账户接管。
CVSS情報
N/A
脆弱性タイプ
N/A