Blind SQL Injection Vulnerability in Ultimate Member Plugin for WordPress
CVE-2026-15290

7.5HIGH

What is CVE-2026-15290?

The Ultimate Member plugin for WordPress is susceptible to a blind SQL injection due to inadequate parameter escaping in the search functionality. This vulnerability affects all versions up to 2.10.1, allowing unauthenticated attackers to inject malicious SQL queries to extract sensitive data from the database. The issue arises from the lack of proper preparation in the SQL query, which fails to adequately validate user input, thereby making it possible for attackers to manipulate database queries. A partial fix was introduced in version 2.9.2 in response to a related vulnerability, yet the current iteration still presents significant risks.

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 0 <= 2.10.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhamad Visat
.