CVE-2022-3384

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.
Configurations

Configuration 1

cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*

Information

Published : 2022-11-29 09:15

Updated : 2022-12-01 08:28


NVD link : CVE-2022-3384

Mitre link : CVE-2022-3384

Products Affected
No products.
CWE