Ultimate Member <= 1.3.75 - Unauthenticated Change Passwords

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Ultimate Member <= 1.3.75 allows unauthenticated users to change an arbitrary users password, which could allow complete system access.

Affects Plugin

fixed in version 1.3.76

References

URL http://www.pritect.net/blog/ultimate-member-1-3-76-critical-security-issue
URL https://github.com/ultimatemember/ultimatemember/commit/c54e8d3c56027f1c87f62e54c722dc7c6e72f78a
URL https://github.com/ultimatemember/ultimatemember/commit/b66c99bec200aec2eda5d53ebf8495e705933081

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Submitter James Golovich
Submitter Website https://pritect.net
Submitter Twitter Pritect
Views 297
Verified No
WPVDB ID 8688

Timeline

Publicly Published 2016-12-06 (about 1 year ago)
Added 2016-12-08 (about 1 year ago)
Last Updated 2016-12-08 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.