Browse all 27 CVE security advisories affecting ultimatemember. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Ultimatemember is a widely deployed WordPress plugin designed to facilitate user registration, profile management, and membership functionality. With twenty-seven recorded Common Vulnerabilities and Exposures, the software has historically exhibited significant security weaknesses, primarily involving SQL injection, cross-site scripting, and privilege escalation flaws. These vulnerabilities often stem from insufficient input validation and improper capability checks, allowing attackers to manipulate database queries or execute arbitrary code. Notably, several incidents have highlighted the risk of unauthorized access to sensitive user data and administrative functions due to flawed authentication mechanisms. The high volume of CVEs suggests persistent challenges in maintaining secure code practices within the plugin’s architecture. Organizations relying on this tool must prioritize regular updates and rigorous security audits to mitigate the substantial risks associated with its extensive attack surface and historical vulnerability profile.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-15064 | Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.4 | Medium | 2026-04-04 |
| CVE-2026-4248 | Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-285 | 8.0 | High | 2026-03-27 |
| CVE-2026-1404 | Ultimate Member <= 2.11.1 - Reflected Cross-Site Scripting via Filter Parameters — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.1 | Medium | 2026-02-18 |
| CVE-2025-13746 | ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name — ForumWP – Forum & Discussion BoardCWE-79 | 6.4 | Medium | 2026-01-06 |
| CVE-2025-13220 | Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.4 | Medium | 2025-12-21 |
| CVE-2025-12492 | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-200 | 5.3 | Medium | 2025-12-20 |
| CVE-2025-14081 | Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-863 | 4.3 | Medium | 2025-12-17 |
| CVE-2025-13217 | Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.4 | Medium | 2025-12-17 |
| CVE-2025-1702 | Ultimate Member <= 2.10.0 - Unauthenticated SQL Injection via search Parameter — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-89 | 7.5 | High | 2025-03-05 |
| CVE-2024-12276 | Ultimate Member <= 2.9.2 - Authenticated SQL Injection — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-89 | 5.3 | Medium | 2025-02-21 |
| CVE-2025-0308 | Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-89 | 7.5 | High | 2025-01-18 |
| CVE-2025-0318 | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.9.1 - Information Exposure — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-200 | 5.3 | Medium | 2025-01-18 |
| CVE-2024-11204 | ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter — ForumWP – Forum & Discussion BoardCWE-79 | 6.1 | Medium | 2024-12-06 |
| CVE-2024-10879 | ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting — ForumWP – Forum & Discussion BoardCWE-79 | 6.1 | Medium | 2024-12-06 |
| CVE-2024-10880 | JobBoardWP – Job Board Listings and Submissions <= 1.3.0 - Reflected Cross-Site Scripting — JobBoardWP – Job Board Listings and SubmissionsCWE-79 | 6.1 | Medium | 2024-11-23 |
| CVE-2024-10528 | Ultimate Member <= 2.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-862 | 4.3 | Medium | 2024-11-21 |
| CVE-2024-8519 | Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.4 | Medium | 2024-10-04 |
| CVE-2024-8520 | Ultimate Member <= 2.8.6 - Cross-Site Request Forgery to Membership Status Change — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-352 | 5.3 | Medium | 2024-10-04 |
| CVE-2024-8428 | ForumWP – Forum & Discussion Board Plugin <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover — ForumWP – Forum & Discussion BoardCWE-639 | 8.8 | High | 2024-09-06 |
| CVE-2024-2765 | Ultimate Member <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 5.4 | Medium | 2024-05-02 |
| CVE-2024-1071 | WordPress Plugin Ultimate Member 安全漏洞 — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | 9.8 | Critical | 2024-03-13 |
| CVE-2024-2123 | Ultimate Member <= 2.8.3 - Unauthenticated Stored Cross-Site Scripting — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 7.2 | High | 2024-03-13 |
| CVE-2022-3383 | Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-94 | 7.2 | High | 2022-11-29 |
| CVE-2022-3384 | Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-94 | 7.2 | High | 2022-11-29 |
| CVE-2022-3361 | Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Contributor+) Directory Traversal via Shortcodes — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-22 | 4.3 | Medium | 2022-11-29 |
| CVE-2022-1208 | Ultimate Member <= 2.3.2 - Stored Cross-Site Scripting — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 | 6.4 | Medium | 2022-06-13 |
| CVE-2022-1209 | Ultimate Member <= 2.3.1 - Arbitrary Redirect — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-601 | 4.3 | Medium | 2022-05-10 |
This page lists every published CVE security advisory associated with ultimatemember. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.