Blind SQL Injection Vulnerability in Ultimate Member Plugin for WordPress
CVE-2026-15290
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15290?
The Ultimate Member plugin for WordPress is susceptible to a blind SQL injection due to inadequate parameter escaping in the search functionality. This vulnerability affects all versions up to 2.10.1, allowing unauthenticated attackers to inject malicious SQL queries to extract sensitive data from the database. The issue arises from the lack of proper preparation in the SQL query, which fails to adequately validate user input, thereby making it possible for attackers to manipulate database queries. A partial fix was introduced in version 2.9.2 in response to a related vulnerability, yet the current iteration still presents significant risks.
Affected Version(s)
Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 0 <= 2.10.1