Medium severity5.3NVD Advisory· Published Jan 13, 2020· Updated Jun 17, 2026
CVE-2020-6859
CVE-2020-6859
Description
Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Ultimate Member plugindescription
- Range: <=2.1.2
Patches
Vulnerability mechanics
References
5- github.com/ultimatemember/ultimatemember/commit/249682559012734a4f7d71f52609b2f301ea55b1nvdPatchThird Party Advisory
- github.com/ultimatemember/ultimatemember/blob/627bbb0fae81ac34c60b43f0867eadcf8e1bc523/includes/core/class-files.phpnvdThird Party Advisory
- github.com/ultimatemember/ultimatemember/blob/627bbb0fae81ac34c60b43f0867eadcf8e1bc523/includes/core/class-files.phpnvdThird Party Advisory
- wordpress.org/plugins/ultimate-member/nvdVendor Advisory
- wpvulndb.com/vulnerabilities/10041nvdThird Party Advisory
News mentions
0No linked articles in our index yet.