What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2019-10270.

What is the affected software for this vulnerability?

The affected software for this vulnerability is Ultimate Member plugin 2.39 for WordPress.

What is the severity of CVE-2019-10270?

The severity of CVE-2019-10270 is high with a severity value of 8.8.

How can the arbitrary password reset issue be exploited?

It is possible to reset the password of another user by exploiting the lack of verification and correlation between the reset password key sent by mail and the user_id parameter.

Is there a fix available for this vulnerability?

There is no information available about a fix for this vulnerability. It is recommended to update to a newer version if available or apply any patches or mitigations provided by the vendor.

Vulnerability/
CVE-2019-10270

high

8.8

CWE

640

21/6/2019

4/8/2024

CVE-2019-10270

First published: Fri Jun 21 2019(Updated: )

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Ultimate Member	<2.0.40

Never miss a vulnerability like this again

Reference Links

https://cxsecurity.com/issue/WLB-2019060101

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-10270.
What is the affected software for this vulnerability?
The affected software for this vulnerability is Ultimate Member plugin 2.39 for WordPress.
What is the severity of CVE-2019-10270?
The severity of CVE-2019-10270 is high with a severity value of 8.8.
How can the arbitrary password reset issue be exploited?
It is possible to reset the password of another user by exploiting the lack of verification and correlation between the reset password key sent by mail and the user_id parameter.
Is there a fix available for this vulnerability?
There is no information available about a fix for this vulnerability. It is recommended to update to a newer version if available or apply any patches or mitigations provided by the vendor.

agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/references
agent/weakness
agent/last-modified-date
agent/author
agent/first-publish-date
agent/description
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/ultimatemember
canonical/ultimate member

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.