CVE-2022-3361 - OpenCVE

Vendors	Products
Ultimatemember	Ultimate Member

Link	Resource
https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3361.md	Exploit Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail=	Patch Third Party Advisory
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3361	Third Party Advisory
https://www.yuque.com/docs/share/23f988ad-1402-42f2-b8d2-c7a87a4022bd	Exploit Third Party Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3361", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc", "dateReserved": "2022-09-29T17:20:33.684Z", "datePublished": "2022-11-29T20:39:43.596Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2022-11-29T20:39:43.596Z"}, "affected": [{"vendor": "ultimatemember", "product": "Ultimate Member \u2013 User Profile, User Registration, Login & Membership Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users."}], "references": [{"url": "https://www.yuque.com/docs/share/23f988ad-1402-42f2-b8d2-c7a87a4022bd"}, {"url": "https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3361.md"}, {"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3361"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/A:N/I:N/C:L/S:U/UI:N/PR:L/AC:L/AV:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ruijie Li"}], "timeline": [{"time": "2022-09-26T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2022-10-28T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2E53910D-E315-404D-8986-84DFA5E94E37", "versionEndIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users."}, {"lang": "es", "value": "El complemento Ultimate Member para WordPress es vulnerable al directory traversal en versiones hasta la 2.5.0 incluida debido a una validaci\u00f3n de entrada insuficiente en el atributo 'template' utilizado en los shortcodes. Esto hace posible que los atacantes con privilegios administrativos proporcionen rutas arbitrarias utilizando el recorrido (../../) para acceder e incluir archivos fuera del directorio deseado. Si un atacante puede cargar con \u00e9xito un archivo php, tambi\u00e9n es posible la ejecuci\u00f3n remota de c\u00f3digo mediante inclusi\u00f3n. \nNota: para los usuarios con capacidades inferiores a las administrativas, el acceso /wp-admin debe estar habilitado para ese usuario para que pueda explotarlo."}], "id": "CVE-2022-3361", "lastModified": "2023-11-07T03:51:10.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2022-11-29T21:15:10.903", "references": [{"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3361.md"}, {"source": "security@wordfence.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3361"}, {"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.yuque.com/docs/share/23f988ad-1402-42f2-b8d2-c7a87a4022bd"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

JSON object

JSON object

JSON object