Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-01-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL injection
Action: Patch ASAP
AI Analysis

Impact

The Ultimate Member plugin contains a time‑based SQL Injection flaw in its search parameter that allows attackers to append arbitrary SQL statements. The vulnerability results from insufficient escaping of user input and the lack of a prepared statement, enabling unauthenticated users to inject and execute SQL against the database. The core weakness is an input validation error identified as CWE‑89.

Affected Systems

WordPress sites that have the Ultimate Member plugin at version 2.9.1 or any earlier release are affected. This plugin provides user profiles, registration, login, member directories, and content restriction features and is distributed through the official WordPress repository.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1% suggests a very low yet non‑zero likelihood of exploitation today, and the flaw is not listed in the CISA KEV catalog, so no confirmed exploitation campaign exists. Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request to the search endpoint, which, if accessed, could let an attacker extract sensitive data from the database through the injected query.

Generated by OpenCVE AI on April 22, 2026 at 07:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to the latest version of Ultimate Member if an official fix has been released
  • Deploy a Web Application Firewall or a WordPress security plugin configured to detect and block search queries containing SQL injection control characters
  • Restrict or disable access to the search endpoint by requiring authentication or implementing rate limiting to reduce exposure to automated injection attempts

Generated by OpenCVE AI on April 22, 2026 at 07:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1597 The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 25 Feb 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Ultimatemember
Ultimatemember ultimate Member
CPEs cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
Vendors & Products Ultimatemember
Ultimatemember ultimate Member

Tue, 21 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Jan 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ultimatemember Ultimate Member
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:29.496Z

Reserved: 2025-01-07T13:22:14.239Z

Link: CVE-2025-0308

cve-icon Vulnrichment

Updated: 2025-01-21T21:40:29.893Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-18T06:15:27.880

Modified: 2025-02-25T22:14:17.707

Link: CVE-2025-0308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses