CVE-2022-3384

Name of the Vulnerable Software and Affected Versions The Ultimate Member plugin for WordPress versions up to, and including, 2.5.0

Description The issue allows for Remote Code Execution via the populate dropdown options function, which accepts user-supplied input and passes it through call user func(). This is restricted to non-parameter PHP functions like phpinfo(), as user-supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.

Recommendations For versions up to, and including, 2.5.0, consider disabling the populate dropdown options function as a temporary workaround until a patch is available. Restrict access to non-parameter PHP functions like phpinfo() to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.