Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Vulnerabilities & Security Advisories 22

All 22 CVE vulnerabilities found in Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, with AI-generated Chinese analysis, references, and POCs.

This page catalogs security vulnerabilities associated with the Ultimate Member plugin, a WordPress solution for user profiles, registration, and membership management, specifically focusing on weaknesses within its authentication, access control, and user data handling mechanisms. It aggregates reports spanning from its initial release through recent updates, capturing a comprehensive timeline of discovered flaws including privilege escalation, unauthorized access, and information disclosure issues. By reviewing this collection, researchers and administrators can track the vendor’s history of addressing security advisories, gain a deeper understanding of common weakness classes prevalent in membership plugins, and investigate the specific vulnerability history of this popular tool to assess long-term risk. The data highlights patterns in how user-facing components like login forms and directory listings have been exploited, providing critical context for penetration testers and developers aiming to harden their installations. Understanding these historical trends allows stakeholders to identify recurring implementation errors, evaluate the effectiveness of past patches, and anticipate potential future attack vectors that may emerge as the plugin evolves. This resource serves as a centralized reference for evaluating the security posture of the Ultimate Member ecosystem, enabling informed decisions regarding plugin updates, alternative solutions, or necessary configuration changes to mitigate identified risks.

Vendor: ultimatemember

CVE IDTitleCVSSSeverityPublished
CVE-2025-15064 Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets CWE-79 6.4 Medium2026-04-04
CVE-2026-4248 Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag CWE-285 8.0 High2026-03-27
CVE-2026-1404 Ultimate Member <= 2.11.1 - Reflected Cross-Site Scripting via Filter Parameters CWE-79 6.1 Medium2026-02-18
CVE-2025-13220 Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CWE-79 6.4 Medium2025-12-21
CVE-2025-12492 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure CWE-200 5.3 Medium2025-12-20
CVE-2025-14081 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass CWE-863 4.3 Medium2025-12-17
CVE-2025-13217 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' CWE-79 6.4 Medium2025-12-17
CVE-2025-1702 Ultimate Member <= 2.10.0 - Unauthenticated SQL Injection via search Parameter CWE-89 7.5 High2025-03-05
CVE-2024-12276 Ultimate Member <= 2.9.2 - Authenticated SQL Injection CWE-89 5.3 Medium2025-02-21
CVE-2025-0308 Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection CWE-89 7.5 High2025-01-18
CVE-2025-0318 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.9.1 - Information Exposure CWE-200 5.3 Medium2025-01-18
CVE-2024-10528 Ultimate Member <= 2.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update CWE-862 4.3 Medium2024-11-21
CVE-2024-8519 Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting CWE-79 6.4 Medium2024-10-04
CVE-2024-8520 Ultimate Member <= 2.8.6 - Cross-Site Request Forgery to Membership Status Change CWE-352 5.3 Medium2024-10-04
CVE-2024-2765 Ultimate Member <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting CWE-79 5.4 Medium2024-05-02
CVE-2024-1071 WordPress Plugin Ultimate Member 安全漏洞 9.8 Critical2024-03-13
CVE-2024-2123 Ultimate Member <= 2.8.3 - Unauthenticated Stored Cross-Site Scripting CWE-79 7.2 High2024-03-13
CVE-2022-3383 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select CWE-94 7.2 High2022-11-29
CVE-2022-3384 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options CWE-94 7.2 High2022-11-29
CVE-2022-3361 Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Contributor+) Directory Traversal via Shortcodes CWE-22 4.3 Medium2022-11-29
CVE-2022-1208 Ultimate Member <= 2.3.2 - Stored Cross-Site Scripting CWE-79 6.4 Medium2022-06-13
CVE-2022-1209 Ultimate Member <= 2.3.1 - Arbitrary Redirect CWE-601 4.3 Medium2022-05-10

All 22 known CVE vulnerabilities affecting Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin with full Chinese analysis, references, and POCs where available.