SQL Injection Vulnerability in Ultimate Member Plugin for WordPress
CVE-2025-0308
7.5HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 18 January 2025
Summary
The Ultimate Member plugin for WordPress, versions up to and including 2.9.1, is susceptible to a time-based SQL injection vulnerability. This issue arises due to inadequate escaping of user-supplied input in search parameters, allowing unauthorized attackers to inject additional SQL queries into existing ones. Successful exploitation can lead to the unauthorized extraction of sensitive data from the database, posing a significant risk to user information and overall site security.
Affected Version(s)
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin * <= 2.9.1
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michael Mazzolini