CVE-2024-12276

Summary

CVE-2024-12276 is a vulnerability affecting the Ultimate Member plugin for WordPress. The flaw, present in all versions up to 2.9.2, stems from insufficient escaping of user-supplied filenames and a lack of preparation of existing SQL queries. This combination enables authenticated attackers, who have the ability to upload files and manage filenames via third-party plugins like File Managers, to inject additional SQL queries into existing ones. The exploitation of this vulnerability carries a minimal risk, as it requires the attacker to manipulate filenames successfully.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.