WordPress Plugin Vulnerabilities
Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal
Description
The plugin does not validate and sanitize the template attribute of its shortcode before using it in an include statement, which could allow users with a role as low as contributor to perform local file inclusion attacks via a Traversal vector
Affects Plugins
References
CVE
Classification
Type
TRAVERSAL
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ruijie Li
Verified
No
WPVDB ID
Timeline
Publicly Published
2022-10-28 (about 1 years ago)
Added
2022-10-30 (about 1 years ago)
Last Updated
2022-10-30 (about 1 years ago)