CVE-2022-3383: 
WordPress vulnerability analysis and mitigation

The Ultimate Member plugin for WordPress (versions up to 2.5.0) contains a Remote Code Execution (RCE) vulnerability identified as CVE-2022-3383. The vulnerability was discovered by researcher Ruijie Li and affects the plugin's callback functions, allowing authenticated users with administrative privileges to execute arbitrary code on the server (Patchstack, WPScan).

The vulnerability exists in multiple PHP files including class-fields.php and class-form.php, where the calluserfunc() function accepts unfiltered user input. The issue specifically occurs in functions such as getoptionvaluefromcallback(), getoptionsfromcallback(), editfield(), and ajaxselectoptions(). The vulnerability has been assigned a CVSS score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Wordfence).

When exploited, this vulnerability allows authenticated administrators to execute commands on the target website, potentially leading to full control of the website. The impact is particularly concerning in multisite setups where high-privilege users might gain unauthorized execution capabilities (Patchstack).

The vulnerability has been patched in version 2.5.1 of the Ultimate Member plugin. Website administrators are strongly advised to update to this version or later to mitigate the security risk (Patchstack).