{"id":"CVE-2018-6944","details":"core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.","modified":"2026-03-14T04:42:37.328895Z","published":"2018-02-16T14:29:00.740Z","references":[{"type":"WEB","url":"https://wpvulndb.com/vulnerabilities/9705"},{"type":"EVIDENCE","url":"https://packetstormsecurity.com/files/146403/WordPress-UltimateMember-2.0-Cross-Site-Scripting.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ultimatemember/ultimatemember","events":[{"introduced":"0"},{"last_affected":"6bdb6af868d4dfd94c1ae347e49668ebb3ee99d7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.0"}]}}],"versions":["1.3.48","1.3.59","1.3.88","1.3.88.4","1.3.88.5","1.3.88.6","2.0","pre-v1.3.50","pre-v1.3.69.16","pre-v1.3.69.17","pre-v1.3.69.18","pre-v1.3.69.19","pre-v1.3.69.20","pre-v1.3.69.21","pre-v1.3.69.22","pre-v1.3.69.23","pre-v1.3.69.24","pre-v1.3.69.25","v1.3.29","v1.3.30","v1.3.32","v1.3.35","v1.3.36","v1.3.37","v1.3.38","v1.3.39","v1.3.40","v1.3.41","v1.3.42","v1.3.43","v1.3.44","v1.3.45","v1.3.47","v1.3.49","v1.3.51","v1.3.52","v1.3.53","v1.3.54","v1.3.55","v1.3.56","v1.3.60","v1.3.61","v1.3.62","v1.3.63","v1.3.64","v1.3.65","v1.3.66","v1.3.67","v1.3.68","v1.3.69","v1.3.71","v1.3.72","v1.3.73","v1.3.74","v1.3.75","v1.3.76","v1.3.78","v1.3.79","v1.3.81","v1.3.82","v1.3.83","v1.3.84","v1.3.88.1","v1.3.88.2","v1.3.88.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-6944.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}