Ruijie Li

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member plugin for WordPress versions up to, and including 2.5.0 **Description** The issue is related to directory traversal due to insufficient input validation on the `template` attribute used in shortcodes. This allows attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file, remote code execution via inclusion may also be possible. For users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. **Recommendations** For versions up to, and including 2.5.0, consider disabling the use of the `template` attribute in shortcodes until a patch is available. Restrict access to /wp-admin for users with less than administrative capabilities to minimize the risk of exploitation. Avoid using the `template` attribute in shortcodes for users who do not require administrative access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member plugin for WordPress versions up to, and including, 2.5.0 **Description** The issue allows for Remote Code Execution via the `get option value from callback` function, which accepts user-supplied input and passes it through `call user func()`. This enables authenticated attackers with administrative capabilities to execute code on the server. **Recommendations** For versions up to, and including, 2.5.0, update to a version later than 2.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the `get option value from callback` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member plugin for WordPress versions up to, and including, 2.5.0 **Description** The issue allows for Remote Code Execution via the `populate dropdown options` function, which accepts user-supplied input and passes it through `call user func()`. This is restricted to non-parameter PHP functions like `phpinfo()`, as user-supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. **Recommendations** For versions up to, and including, 2.5.0, consider disabling the `populate dropdown options` function as a temporary workaround until a patch is available. Restrict access to non-parameter PHP functions like `phpinfo()` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member plugin for WordPress versions up to, and including, 2.3.2 **Description** The issue is related to Stored Cross-Site Scripting via the Biography field on individual user profile pages. This is due to insufficient input sanitization and output escaping, allowing users to encode malicious web scripts with HTML encoding that is reflected back on the page. **Recommendations** For versions up to, and including, 2.3.2, consider disabling the Biography field on user profile pages until a complete fix is available, as the issue was only partially fixed in version 2.3.2.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member plugin for WordPress versions up to, and including, 2.3.1 **Description** The issue is related to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page. This makes it possible for attackers to redirect unsuspecting victims. **Recommendations** For versions up to, and including, 2.3.1, update to a version later than 2.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the social fields of the Profile Page to minimize the risk of exploitation.