{"id":"CVE-2024-8520","details":"The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","modified":"2026-04-10T05:19:52.566883Z","published":"2024-10-04T05:15:11.727Z","references":[{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1945"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1948C1-L1959C6"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L70C4-L70C84"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L146C1-L173C12"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L175C1-L178C7"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L41C4-L41C90"},{"type":"WEB","url":"https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1880"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffddc03-d4ae-460e-972a-98804d947d09?source=cve"},{"type":"FIX","url":"https://github.com/ultimatemember/ultimatemember/pull/1549"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset/3160947/ultimate-member/trunk/includes/admin/class-admin.php"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ultimatemember/ultimatemember","events":[{"introduced":"0"},{"fixed":"f6818efbc23bf7206229fb739b2d2f6d34852267"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.8.7"}]}}],"versions":["1.3.48","1.3.59","1.3.88","1.3.88.4","1.3.88.5","1.3.88.6","2.0.10","2.0.11","2.0.16","2.0.17","2.0.24","2.0.34","2.0.35","2.0.37","2.0.38","2.0.39","2.0.4","2.0.41","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.49","2.0.5","2.0.50","2.0.53","2.0.54","2.0.9","2.1.0","2.1.0-rc.1","2.1.0-rc.2","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.2","2.1.2-rc.1","2.1.20","2.1.3","2.1.3-rc.1","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.4.2","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.6.0","2.6.1","2.6.10","2.6.11","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.7.0","2.8.0","2.8.1","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","pre-v1.3.50","pre-v1.3.69.16","pre-v1.3.69.17","pre-v1.3.69.18","pre-v1.3.69.19","pre-v1.3.69.20","pre-v1.3.69.21","pre-v1.3.69.22","pre-v1.3.69.23","pre-v1.3.69.24","pre-v1.3.69.25","v1.3.29","v1.3.30","v1.3.32","v1.3.35","v1.3.36","v1.3.37","v1.3.38","v1.3.39","v1.3.40","v1.3.41","v1.3.42","v1.3.43","v1.3.44","v1.3.45","v1.3.47","v1.3.49","v1.3.51","v1.3.52","v1.3.53","v1.3.54","v1.3.55","v1.3.56","v1.3.60","v1.3.61","v1.3.62","v1.3.63","v1.3.64","v1.3.65","v1.3.66","v1.3.67","v1.3.68","v1.3.69","v1.3.71","v1.3.72","v1.3.73","v1.3.74","v1.3.75","v1.3.76","v1.3.78","v1.3.79","v1.3.81","v1.3.82","v1.3.83","v1.3.84","v1.3.88.1","v1.3.88.2","v1.3.88.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8520.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}