CVE-2022-1208
Last modified
CVE-2022-1208 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. EPSS estimates a 0.85% chance of exploitation in the next 30 days.
Description
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was only partially fixed in version 2.3.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ultimatemember | Ultimate Member | <= 2.3.2 |
References
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1208Third Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1208Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-1208?
How severe is CVE-2022-1208?
How do I fix CVE-2022-1208?
Are you affected by CVE-2022-1208?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST