Skip to main content

Ultimate Membership Pro CVE-2026-25357

| EUVDEUVD-2026-15677 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-25 Patchstack GHSA-7q8x-g7w6-4685
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 02:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15677
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.1

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.

AnalysisAI

Authentication bypass in Ultimate Membership Pro WordPress plugin versions through 13.7 enables remote attackers to circumvent access controls via alternate authentication paths, potentially achieving complete account takeover. Attack complexity is rated high (AC:H) but requires no authentication or user interaction. EPSS score is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV at time of analysis. SSVC framework rates technical impact as total with exploitation status of none.

Technical ContextAI

This vulnerability affects azzaroco's Ultimate Membership Pro WordPress plugin (indeed-membership-pro), a membership and subscription management solution for WordPress sites. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating the plugin exposes multiple authentication mechanisms where one path lacks proper security controls. This class of vulnerability typically arises when developers implement primary authentication correctly but fail to secure alternative endpoints, API routes, or legacy authentication handlers that can grant the same privileged access. The CPE identifier cpe:2.3:a:azzaroco:ultimate_membership_pro confirms azzaroco as the vendor and the product scope encompasses all versions through 13.7.

RemediationAI

Upgrade Ultimate Membership Pro to version 13.8 or later if available, as version 13.7 is confirmed vulnerable. Verify current plugin version in WordPress admin dashboard under Plugins and check for updates. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-ultimate-membership-pro-plugin-13-7-account-takeover-vulnerability for vendor-confirmed fix version, as the provided data does not include an independently verified patched release. If patch deployment must be delayed, implement immediate compensating controls: restrict WordPress admin panel access to trusted IP addresses via .htaccess or firewall rules; enable two-factor authentication for all user accounts especially those with elevated privileges; monitor authentication logs for unusual login patterns or access from unexpected sources. Note these mitigations reduce but do not eliminate risk, as the alternate authentication path may bypass standard login monitoring. Temporary deactivation of the plugin eliminates vulnerability but breaks membership functionality entirely. Review application logs for indicators of exploitation attempts prior to patching.

Share

CVE-2026-25357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy