WordPress Ultimate Member Plugin Missing Authorization Vulnerability - CVE-2024-10528 - Vulnerability Database

WordPress Ultimate Member Plugin Missing Authorization Vulnerability - CVE-2024-10528

Medium

Reference: CVE-2024-10528

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2024-10528

Title: WordPress Ultimate Member Plugin Missing Authorization Vulnerability

Overview:

The Ultimate Member User Profile Registration Login Member Directory Content Restriction amp Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to and including 2.8.9. This makes it possible for authenticated attackers with subscriber-level access and above to update the profile pictures of other users.