Vulnerability Details : CVE-2022-1209
The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.
Products affected by CVE-2022-1209
- cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-1209
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-1209
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
2.1
|
1.4
|
Wordfence | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
Wordfence | 2024-01-11 |
References for CVE-2022-1209
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/d638120b-5396-408b-8273-d003ff9dd01d?source=cve
Ultimate Member <= 2.3.1 - Arbitrary Redirect
-
https://github.com/ultimatemember/ultimatemember/issues/989
Security issues in URL and social fields · Issue #989 · ultimatemember/ultimatemember · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1209
Vulnerability Advisories - WordfenceThird Party Advisory
-
https://github.com/ultimatemember/ultimatemember/pull/990
Security issues in URL and social fields by yuriinalivaiko · Pull Request #990 · ultimatemember/ultimatemember · GitHubThird Party Advisory
-
https://github.com/H4de5-7/vulnerabilities/blob/main/Ultimate%20Member%20%3C%3D%202.3.1%20-%20Open%20Redirect.md
vulnerabilities/Ultimate Member <= 2.3.1 - Open Redirect.md at main · H4de5-7/vulnerabilities · GitHubExploit;Third Party Advisory
Jump to