JVN#28804532: Multiple vulnerabilities in WordPress plugin "Ultimate Member"

Overview

The WordPress plugin "Ultimate Member" contains multiple vulnerabilities.

Products Affected

Ultimate Member prior to version 2.0.4

Description

The WordPress plugin "Ultimate Member" provided by Ultimate Member contains multiple vulnerabilities listed below.

Cross-site Scripting (CWE-79) - CVE-2018-0585

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
Directory Traversal in the shortcodes function (CWE-22) - CVE-2018-0586

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Base Score: 5.0

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
Arbitrary File Upload (CWE-434) - CVE-2018-0587

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3

CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N Base Score: 5.0
Directory Traversal in the AJAX function (CWE-22) - CVE-2018-0588

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Base Score: 7.2

CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:P Base Score: 6.4
Access Restriction Bypass in the "Forms" page (CWE-284) - CVE-2018-0589

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
Access Restriction Bypass due to an issue in processing "Role" (CWE-284) - CVE-2018-0590

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

An arbitrary script may be executed on the user's web browser - CVE-2018-0585
Arbitrary local files on the server may be accessed by a logged-in user - CVE-2018-0586
An arbitrary image file can be uploaded by a remote attacker, which may be used for unauthorized file sharing - CVE-2018-0587
A remote attacker may delete arbitrary files on the server - CVE-2018-0588
A user with the Author role may add a new form - CVE-2018-0589
Profiles for other users may be modified by a logged-in user - CVE-2018-0590

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

Vendor	Link
Ultimate Member	Ultimate Member - WordPress Plugins - Changelog

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2018-0585
	CVE-2018-0586
	CVE-2018-0587
	CVE-2018-0588
	CVE-2018-0589
	CVE-2018-0590
JVN iPedia	JVNDB-2018-000045

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	Base Score: 5.0
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	Base Score: 5.3
CVSS v2	AV:N/AC:L/Au:N/C:N/I:P/A:N	Base Score: 5.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L	Base Score: 7.2
CVSS v2	AV:N/AC:L/Au:N/C:N/I:P/A:P	Base Score: 6.4

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

JVN#28804532 Multiple vulnerabilities in WordPress plugin "Ultimate Member"