Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to bypass authentication by using an alternate path or channel within the Ultimate Membership Pro plugin, enabling unauthorized access to user accounts. The flaw falls under improper authentication (CWE‑288) and can lead to full account takeover, allowing modification of content, impersonation, or data exfiltration.

Affected Systems

WordPress sites running the Ultimate Membership Pro plugin version 13.7 or earlier are affected. The vulnerability applies to all installations of the plugin from the earliest version included up to 13.7.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves crafting a request through a different internal route or parameter that the plugin does not properly authenticate, allowing an attacker to gain access without valid credentials.

Generated by OpenCVE AI on March 26, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate Membership Pro to a version newer than 13.7 as soon as possible.
  • If an update is not available, disable or uninstall the plugin to prevent exploitation.
  • Reset passwords for all privileged accounts and monitor logs for suspicious login attempts.
  • Audit any custom code that interacts with the plugin to ensure it does not expose the same authentication path.

Generated by OpenCVE AI on March 26, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Azzaroco
Azzaroco ultimate Membership Pro
Wordpress
Wordpress wordpress
Vendors & Products Azzaroco
Azzaroco ultimate Membership Pro
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Title WordPress Ultimate Membership Pro plugin <= 13.7 - Account Takeover vulnerability
Weaknesses CWE-288
References

Subscriptions

Azzaroco Ultimate Membership Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T17:07:53.985Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25357

cve-icon Vulnrichment

Updated: 2026-03-26T17:06:51.137Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:46.743

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:58Z

Weaknesses