SQL Injection Vulnerability in Ultimate Member Plugin for WordPress
CVE-2024-12276

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vendor
CVE Published:
21 February 2025

What is CVE-2024-12276?

The Ultimate Member plugin for WordPress is susceptible to second-order SQL injection due to improper escaping of user-supplied parameters. This vulnerability allows authenticated users, who have the ability to upload files and manage filenames via a third-party file manager, to inject additional SQL queries into existing ones. Consequently, this could lead to the unauthorized extraction of sensitive database information. However, exploiting this vulnerability requires specific conditions that limit its overall risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin * <= 2.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3242743/ulti...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kevin Wydler
JSON
.