CVE-2019-10270

Name of the Vulnerable Software and Affected Versions Ultimate Member plugin version 2.39 for WordPress

Description An issue was discovered in the password reset functionality, allowing an attacker to reset the password of another user without proper verification. This is possible because the user id parameter is not properly correlated with the reset password key sent by email. An attacker can intercept the password modification request and modify the user id to target any user, including admins, potentially leading to account compromise and privilege escalation.

Recommendations For Ultimate Member plugin version 2.39, consider disabling the password reset functionality until a patch is available to prevent exploitation. Restrict access to the password modification request to minimize the risk of interception and modification of the user id parameter.