SQL Injection Vulnerability in Ultimate Member Plugin for WordPress
CVE-2024-1071
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 March 2024
Badges
What is CVE-2024-1071?
CVE-2024-1071 is a critical SQL injection vulnerability found in the Ultimate Member plugin for WordPress, with a CVSS score of 9.8. This plugin is widely used for managing user profiles, registrations, logins, and access to members-only content on WordPress sites. The vulnerability specifically affects versions 2.1.3 to 2.8.2, stemming from inadequate input validation on the "sorting" parameter, enabling unauthenticated attackers to terminate existing SQL queries and append malicious SQL statements. This flaw can lead to unauthorized data access and extraction, allowing attackers to obtain sensitive information from the underlying database, such as user credentials and personal data. The implications for organizations can be severe, particularly for those relying on the plugin for handling user-related functionalities and content restrictions.
Potential impact of CVE-2024-1071
-
Data Exposure: The most significant risk associated with CVE-2024-1071 is the potential for attackers to extract sensitive data from the database, including user passwords, email addresses, and other personal information. This breach could lead to identity theft or unauthorized access to user accounts.
-
Unauthorized Access: Exploitation of this vulnerability could provide attackers with a foothold to gain unauthorized access to the site's backend, potentially leading to further compromises such as unauthorized administrative privileges, site defacement, or malware installation.
-
Reputation Damage and Compliance Issues: Organizations that fall victim to an exploit of this nature may suffer reputational harm due to loss of user trust. Furthermore, data breaches could lead to compliance violations under regulations like GDPR, resulting in legal repercussions and financial penalties.
Affected Version(s)
Ultimate Member โ User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.1.3 <= 2.8.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CVE-2024-1071 Description, Impact and Technical Details
CVE-2024-1071 is a vulnerability affecting the Ultimate Member plugin used in WordPress versions 2.1.3 to 2.8.2. An SQL Injection flaw is present, allโฆ
5 days ago
Cybersafe SolutionsCVE-2024-1071Cybersafe Solutions Security Advisory Bulletin March 1, 2024
Security Updates for Progress Kempโs LoadMaster, WordPress Plugin โUlimate Member,โ Joomla, Google Chrome, and Mozilla Products
Ultimate Member WordPress Plugin (CVE-2024-1071) | Indusface Blog
Learn about the critical CVE-2024-1071 vulnerability in Ultimate Member WordPress Plugin, posing a threat to over 200K sites. Protect your website today.
References
EPSS Score
92% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐
Vulnerability started trending
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
- ๐ฐ
First article discovered by securityonline.info
Vulnerability Reserved