Remote Code Execution Vulnerability in Ultimate Member WordPress Plugin

Remote Code Execution Vulnerability in Ultimate Member WordPress Plugin

CVE-2022-3383 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

Learn more about our Wordpress Pen Testing.