Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Vulnerabilities & Security Advisories 22

All 22 CVE vulnerabilities found in Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, with AI-generated Chinese analysis, references, and POCs.

This page documents vulnerability aggregation for Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, focusing on security weakness types and associated tags. It collects data regarding various security flaws including cross-site scripting, SQL injection, privilege escalation, and broken access control issues reported against this WordPress membership plugin. The information covers vulnerability disclosures and advisory updates spanning from early initial releases through the most recent patches issued by the vendor, ensuring a comprehensive historical perspective. Readers can discover how to track a vendor's advisories over time to understand the frequency and severity of reported issues. This resource allows users to understand a specific weakness class within the context of user management and membership functionality, highlighting common attack vectors in registration forms or member directories. Furthermore, you can look up a product's vulnerability history to assess the long-term security posture of the software, identify recurring patterns in code quality, and evaluate the effectiveness of past remediation efforts. This aggregated view supports security researchers, site administrators, and developers in making informed decisions about plugin usage, patching priorities, and risk mitigation strategies. By examining the chronological progression of these security events, stakeholders gain insight into the evolving threat landscape specific to this widely used member directory solution. The data serves as a factual record rather than a promotional overview, providing objective metrics on security incidents and the subsequent developer responses. This transparency is essential for maintaining trust and ensuring that WordPress communities remain secure against emerging threats targeting user authentication and profile management features.

Vendor: ultimatemember

CVE IDTitleCVSSSeverityPublished
CVE-2025-15064 Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets CWE-79 6.4 Medium2026-04-04
CVE-2026-4248 Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag CWE-285 8.0 High2026-03-27
CVE-2026-1404 Ultimate Member <= 2.11.1 - Reflected Cross-Site Scripting via Filter Parameters CWE-79 6.1 Medium2026-02-18
CVE-2025-13220 Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CWE-79 6.4 Medium2025-12-21
CVE-2025-12492 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure CWE-200 5.3 Medium2025-12-20
CVE-2025-14081 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass CWE-863 4.3 Medium2025-12-17
CVE-2025-13217 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' CWE-79 6.4 Medium2025-12-17
CVE-2025-1702 Ultimate Member <= 2.10.0 - Unauthenticated SQL Injection via search Parameter CWE-89 7.5 High2025-03-05
CVE-2024-12276 Ultimate Member <= 2.9.2 - Authenticated SQL Injection CWE-89 5.3 Medium2025-02-21
CVE-2025-0308 Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection CWE-89 7.5 High2025-01-18
CVE-2025-0318 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.9.1 - Information Exposure CWE-200 5.3 Medium2025-01-18
CVE-2024-10528 Ultimate Member <= 2.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update CWE-862 4.3 Medium2024-11-21
CVE-2024-8519 Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting CWE-79 6.4 Medium2024-10-04
CVE-2024-8520 Ultimate Member <= 2.8.6 - Cross-Site Request Forgery to Membership Status Change CWE-352 5.3 Medium2024-10-04
CVE-2024-2765 Ultimate Member <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting CWE-79 5.4 Medium2024-05-02
CVE-2024-1071 WordPress Plugin Ultimate Member 安全漏洞 9.8 Critical2024-03-13
CVE-2024-2123 Ultimate Member <= 2.8.3 - Unauthenticated Stored Cross-Site Scripting CWE-79 7.2 High2024-03-13
CVE-2022-3383 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select CWE-94 7.2 High2022-11-29
CVE-2022-3384 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options CWE-94 7.2 High2022-11-29
CVE-2022-3361 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Contributor+) Directory Traversal via Shortcodes CWE-22 4.3 Medium2022-11-29
CVE-2022-1208 Ultimate Member <= 2.3.2 - Stored Cross-Site Scripting CWE-79 6.4 Medium2022-06-13
CVE-2022-1209 Ultimate Member <= 2.3.1 - Arbitrary Redirect CWE-601 4.3 Medium2022-05-10

All 22 known CVE vulnerabilities affecting Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin with full Chinese analysis, references, and POCs where available.