CVE-2022-3361 in Ultimate Member Plugin
Summary
by MITRE • 11/30/2022
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
The CVE-2022-3361 vulnerability resides within the Ultimate Member plugin for WordPress, a popular user management solution that has been widely adopted across numerous websites. This directory traversal flaw affects all versions up to and including 2.5.0, representing a critical security weakness that directly impacts the plugin's ability to validate user inputs properly. The vulnerability specifically targets the 'template' attribute utilized within shortcodes, which are essentially WordPress functions that allow content to be inserted into posts or pages. When this attribute receives unvalidated input containing directory traversal sequences such as ../../, the plugin fails to properly sanitize or restrict the file paths, creating an exploitable condition that can be leveraged by malicious actors.
The technical implementation of this vulnerability stems from inadequate input validation mechanisms within the plugin's shortcode processing functionality. The 'template' attribute parameter does not properly filter or restrict file path components, allowing attackers to manipulate the intended directory scope through traversal sequences. This flaw operates at the core of how the plugin handles template inclusion, where legitimate template files are normally loaded from a controlled directory structure. When an attacker supplies a malicious path containing traversal sequences, the plugin processes these inputs without sufficient validation, potentially allowing access to files outside the intended template directory. The vulnerability is particularly concerning because it enables attackers to access arbitrary files on the server, including sensitive configuration files, database credentials, or other system resources that should remain protected.
The operational impact of this vulnerability extends beyond simple file access, as it can potentially lead to remote code execution when combined with successful file upload capabilities. An attacker with administrative privileges can exploit this weakness to include malicious PHP files, effectively gaining control over the WordPress installation and potentially the entire server. Even for users with lower privilege levels, the vulnerability requires that wp-admin access be enabled for that specific user account, which creates a scenario where privilege escalation becomes possible if an attacker can gain access to a user account with sufficient permissions. The attack vector is particularly dangerous because it can be executed through legitimate plugin shortcode functionality, making it difficult to distinguish from normal user behavior and potentially allowing the exploitation to go undetected for extended periods.
Security professionals should note that this vulnerability aligns with CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The ATT&CK framework categorizes this type of vulnerability under T1059.007 for Command and Scripting Interpreter: PowerShell and T1566.001 for Credential Access: Credential Dumping, as attackers can potentially extract sensitive information or execute malicious code through the exploitation of such flaws. Organizations should immediately update to the latest version of the Ultimate Member plugin to remediate this vulnerability, as the patch typically includes proper input validation and sanitization of the template attribute parameter. Additionally, implementing proper access controls and limiting administrative privileges to only essential users can help reduce the attack surface and prevent unauthorized exploitation of this vulnerability.