Description
The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Profile Privacy Bypass
Action: Apply Update
AI Analysis

Impact

The Vulnerability in the Ultimate Member plugin allows an authenticated user with Subscriber-level access to alter the privacy setting of their profile by manipulating request parameters. The flaw arises because field keys are added to the allowed list before the required permission check is performed during rendering. The result is a privacy setting change that the user should not be able to perform, potentially exposing personal data to unauthorized viewers. This weakness is a classic example of missing authorization checks and is catalogued as CWE-863.

Affected Systems

Any WordPress installation running the Ultimate Member plugin up to and including version 2.11.0 is affected. Users of the plugin should confirm they are running v2.11.0 or earlier and plan to upgrade. The vulnerability does not affect WordPress core, but any site component that relies on the Ultimate Member privacy settings for access control is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate overall risk, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability requires authenticated access with a Subscriber role, so it is not remotely exploitable from an unauthenticated state. The attacker can simply change a profile setting—though this does not compromise code execution or system integrity, it does compromise confidentiality of the user’s own profile. The vulnerability is not listed in the CISA KEV catalog, implying no widely known exploits have been observed yet.

Generated by OpenCVE AI on April 20, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Member plugin to the latest version that fixes the permission check flaw.
  • If an upgrade cannot be performed immediately, remove or disable the profile privacy settings for roles that should not have this control, ensuring that Subscribers cannot change visibility levels.
  • Verify that all permission checks for rendering profile fields are correctly implemented and no legacy code paths bypass the required_perm check, aligning your customizations with the recommended access control practices for CWE-863 (Missing Authorization)

Generated by OpenCVE AI on April 20, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultimatemember
Ultimatemember ultimate Member
Wordpress
Wordpress wordpress
Vendors & Products Ultimatemember
Ultimatemember ultimate Member
Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.
Title Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ultimatemember Ultimate Member
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:28.703Z

Reserved: 2025-12-05T01:12:20.672Z

Link: CVE-2025-14081

cve-icon Vulnrichment

Updated: 2025-12-17T18:51:51.856Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T19:16:01.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses