User Profile CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (8 CVEs found)

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2024-1071	1 Ultimatemember	6 Contentrestriction, Login, Memberdirectory and 3 more	2025-04-15	9.8 Critical
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2018-10234	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
CVE-2018-10233	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.
CVE-2018-0590	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.
CVE-2018-0589	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.
CVE-2018-0588	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2018-0587	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.
CVE-2018-0586	1 Ultimatemember	1 User Profile \& Membership	2024-11-21	N/A
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.

Page 1 of 1.