CVE-2019-10673: CSRF
First published: Wed Apr 03 2019(Updated: )
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ultimate Member | <2.0.40 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-10673?
CVE-2019-10673 is a CSRF vulnerability in the Ultimate Member plugin before 2.0.40 for WordPress that allows attackers to become admin, extract sensitive information, and execute arbitrary code.
How can an attacker exploit CVE-2019-10673?
An attacker can exploit CVE-2019-10673 by changing the e-mail address in the admin account, allowing them to become an admin and perform malicious actions.
What is the severity of CVE-2019-10673?
CVE-2019-10673 has a severity rating of 8.8 (Critical).
Which version of the Ultimate Member plugin is affected by CVE-2019-10673?
The Ultimate Member plugin before version 2.0.40 for WordPress is affected by CVE-2019-10673.
How can I fix CVE-2019-10673?
To fix CVE-2019-10673, update the Ultimate Member plugin to version 2.0.40 or later.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ultimatemember
- canonical/ultimate member