CVE-2022-3361: 
WordPress vulnerability analysis and mitigation

The Ultimate Member plugin for WordPress was found to contain a directory traversal vulnerability (CVE-2022-3361) in versions up to and including 2.5.0. The vulnerability stems from insufficient input validation on the 'template' attribute used in shortcodes. This security issue was discovered and reported by Ruijie Li (NVD, Wordfence).

The vulnerability exists in the loadtemplate() function within class-shortcodes.php. The function fails to properly validate the $tpl parameter, which can be controlled through shortcodes [ultimatememberaccount] and [ultimatemember_password]. The CVSS v3.1 score is 4.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (Github Vulnerability, NVD).

When exploited, this vulnerability allows attackers with administrative privileges to supply arbitrary paths using traversal sequences (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a PHP file, remote code execution via inclusion may be possible. For users with lower privileges, /wp-admin access must be enabled for the vulnerability to be exploitable (NVD).

Users should upgrade their Ultimate Member plugin to a version newer than 2.5.0, which contains the security fix. The vulnerability was patched by implementing proper input validation for the template attribute (NVD).