CVE-2022-1209

The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
ultimatememberultimate_member
𝑥
≤ 2.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/H4de5-7/vulnerabilities/blob/main/Ultimate%20Member%20%3C%3D%202.3.1%20-%20Open%20Redirect.md
https://github.com/ultimatemember/ultimatemember/issues/989
https://github.com/ultimatemember/ultimatemember/pull/990
https://www.wordfence.com/threat-intel/vulnerabilities/id/d638120b-5396-408b-8273-d003ff9dd01d?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1209
https://github.com/H4de5-7/vulnerabilities/blob/main/Ultimate%20Member%20%3C%3D%202.3.1%20-%20Open%20Redirect.md
https://github.com/ultimatemember/ultimatemember/issues/989
https://github.com/ultimatemember/ultimatemember/pull/990
https://www.wordfence.com/threat-intel/vulnerabilities/id/d638120b-5396-408b-8273-d003ff9dd01d?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1209