What is CVE-2020-6859?

CVE-2020-6859 is a vulnerability in the Ultimate Member plugin for WordPress that allows remote attackers to change other users' profiles and cover photos.

What is the severity of CVE-2020-6859?

CVE-2020-6859 has a severity rating of medium with a CVSS score of 5.3.

How does CVE-2020-6859 work?

CVE-2020-6859 exploits insecure direct object reference vulnerabilities in the Ultimate Member plugin's includes/core/class-files.php file, allowing attackers to modify user profiles by manipulating the user_id parameter.

Which version of the Ultimate Member plugin is affected by CVE-2020-6859?

The Ultimate Member plugin version 2.1.2 for WordPress is affected by CVE-2020-6859.

Is there a fix for CVE-2020-6859?

Yes, an official fix for CVE-2020-6859 has been released by the Ultimate Member plugin developers. It is recommended to update to the latest version of the plugin to mitigate the vulnerability.

Vulnerability/
CVE-2020-6859

medium

5.3

CWE

639

13/1/2020

4/8/2024

CVE-2020-6859

First published: Mon Jan 13 2020(Updated: )

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Ultimate Member	<=2.1.2

Remedy

https://github.com/ultimatemember/ultimatemember/commit/249682559012734a4f7d71f52609b2f301ea55b1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-6859?
CVE-2020-6859 is a vulnerability in the Ultimate Member plugin for WordPress that allows remote attackers to change other users' profiles and cover photos.
What is the severity of CVE-2020-6859?
CVE-2020-6859 has a severity rating of medium with a CVSS score of 5.3.
How does CVE-2020-6859 work?
CVE-2020-6859 exploits insecure direct object reference vulnerabilities in the Ultimate Member plugin's includes/core/class-files.php file, allowing attackers to modify user profiles by manipulating the user_id parameter.
Which version of the Ultimate Member plugin is affected by CVE-2020-6859?
The Ultimate Member plugin version 2.1.2 for WordPress is affected by CVE-2020-6859.
Is there a fix for CVE-2020-6859?
Yes, an official fix for CVE-2020-6859 has been released by the Ultimate Member plugin developers. It is recommended to update to the latest version of the plugin to mitigate the vulnerability.

agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/severity
agent/author
agent/references
agent/remedy
agent/description
agent/first-publish-date
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/ultimatemember
canonical/ultimate member
version/ultimate member/2.1.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.