vulnerability
WordPress Plugin: ultimate-member: CVE-2019-10270: Improper Privilege Management
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Jun 15, 2019 | May 15, 2025 | May 15, 2025 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Jun 15, 2019
Added
May 15, 2025
Modified
May 15, 2025
Description
An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.0.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.
Solution
ultimate-member-plugin-cve-2019-10270
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.