CVE-2025-1702 - Vulnerability Details

- Ultimate Member <= 2.10.0 - Unauthenticated SQL Injection via search Parameter

Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2025-03-05

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Ultimate Member plugin accepts a search query parameter without proper escaping or use of prepared statements, creating a time‑based SQL injection that allows unauthenticated attackers to inject arbitrary SQL code. This flaw, classified as CWE‑89, enables an attacker to extract sensitive data from the underlying database, thereby breaching confidentiality.

Affected Systems

WordPress installations using the Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin up to and including version 2.10.0 are affected. The vulnerability arises in every release up to that point where the search parameter is processed in the member directory feature.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS score of less than 1% reflects a low exploitation probability at this time. The flaw does not appear in CISA’s KEV catalog. Exploitation is straightforward via an unauthenticated HTTP request containing a crafted search parameter, and the time‑based nature of the attack may help in early detection, but it still allows attackers to read arbitrary database tables if successful.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ultimatemember

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.10.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Ultimate Member plugin to the latest version that includes proper parameterization or input sanitization for the search parameter.
If an upgrade cannot be performed immediately, configure a web application firewall or security plugin to block SQL‑related patterns in the search query string before it reaches the plugin.
Implement stricter input filtering for any search fields on your site, ensuring only alphanumeric characters or other allowed subsets are accepted, and consider using server‑side prepared statements for any remaining custom database queries.

Generated by OpenCVE AI on April 21, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-6085	The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00509.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ultimatemember/ultimatemember/pull/1654/commits/74647d42cc8d63f5d4f687efcd0792c246c23039
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1775
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1863
https://plugins.trac.wordpress.org/changeset/3249862/
https://wordpress.org/plugins/ultimate-member/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c?source=cve

History

Wed, 05 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 05 Mar 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Ultimate Member <= 2.10.0 - Unauthenticated SQL Injection via search Parameter
Weaknesses		CWE-89
References		https://github.com/ultimatemember/ultimatemember/pull/1654/commits/74647d42cc8d63f5d4f687efcd0792c246c23039 https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1775 https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1863 https://plugins.trac.wordpress.org/changeset/3249862/ https://wordpress.org/plugins/ultimate-member/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-05T11:22:09.425Z

Updated: 2026-04-08T16:45:47.985Z

Reserved: 2025-02-25T20:51:45.704Z

Link: CVE-2025-1702

Vulnrichment

Updated: 2025-03-05T14:18:22.464Z

NVD

Status : Deferred

Published: 2025-03-05T12:15:35.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1702

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object