CVE-2024-1071
Key Information
- Vendor
- Ultimatemember
- Status
- Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Vendor
- CVE Published:
- 13 March 2024
Badges
Summary
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected Version(s)
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.8.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Cybersafe Solutions CVE-2024-1071Cybersafe Solutions Security Advisory Bulletin March 1, 2024
Security Updates for Progress Kemp’s LoadMaster, WordPress Plugin ‘Ulimate Member,’ Joomla, Google Chrome, and Mozilla Products
6 months ago
Indusface CVE-2024-1071Ultimate Member WordPress Plugin (CVE-2024-1071) | Indusface Blog
Learn about the critical CVE-2024-1071 vulnerability in Ultimate Member WordPress Plugin, posing a threat to over 200K sites. Protect your website today.
7 months ago
Ultimate Member WordPress Plugin (CVE-2024-1071) | Indusface Blog
Learn about the critical CVE-2024-1071 vulnerability in Ultimate Member WordPress Plugin, posing a threat to over 200K sites. Protect your website today.
7 months ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
Vulnerability published.
First article discovered by securityonline.info
Disclosed
Vulnerability Reserved.