vulnerability

WordPress Plugin: ultimate-member: CVE-2019-10271: Missing Authorization

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Published

Jun 15, 2019

Added

May 15, 2025

Modified

Apr 30, 2026

Description

An issue was discovered in the Ultimate Member plugin 2.0.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one first needs to (for example) intercept an upload-picture request and modify the user_id parameter.

Solution

ultimate-member-plugin-cve-2019-10271

References

https://www.cve.org/CVERecord?id=CVE-2019-10271
https://www.wordfence.com/threat-intel/vulnerabilities/id/00b4b903-4682-458b-9681-751179460b75?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-2274
CVE-2019-10271
https://attackerkb.com/topics/CVE-2019-10271
EUVD-EUVD-2019-2274

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report