Tiborisaak

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress versions up to, and including, 2.9.2 **Description** The issue is related to second-order SQL Injection via filenames due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with access to upload files and manage filenames to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. The risk of this issue is considered minimal as it requires a user to be able to manipulate filenames to successfully exploit. **Recommendations** For versions up to, and including, 2.9.2, update to a version later than 2.9.2 to resolve the issue. As a temporary workaround, consider restricting access to file uploads and filename management to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin versions up to, and including, 2.8.9 **Description** The issue allows authenticated attackers with subscriber-level access and above to update the profile pictures of other users due to a missing capability check on the `wp ajax um resize image()` and `ajax resize image()` functions. **Recommendations** For versions up to, and including, 2.8.9, update to a version that includes a fix for the missing capability check in the `wp ajax um resize image()` and `ajax resize image()` functions. As a temporary workaround, consider restricting access to the `wp ajax um resize image()` and `ajax resize image()` functions to prevent unauthorized profile picture updates.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress versions up to, and including, 2.8.4 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `Skype` and `Spotify` URL parameters. This allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.8.4, update to a version higher than 2.8.4 to resolve the issue. As a temporary workaround, consider restricting access to the `Skype` and `Spotify` URL parameters to minimize the risk of exploitation.