Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
AnalysisAI
Authentication bypass in Ultimate Membership Pro WordPress plugin versions through 13.7 enables remote attackers to circumvent access controls via alternate authentication paths, potentially achieving complete account takeover. Attack complexity is rated high (AC:H) but requires no authentication or user interaction. EPSS score is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV at time of analysis. SSVC framework rates technical impact as total with exploitation status of none.
Technical ContextAI
This vulnerability affects azzaroco's Ultimate Membership Pro WordPress plugin (indeed-membership-pro), a membership and subscription management solution for WordPress sites. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating the plugin exposes multiple authentication mechanisms where one path lacks proper security controls. This class of vulnerability typically arises when developers implement primary authentication correctly but fail to secure alternative endpoints, API routes, or legacy authentication handlers that can grant the same privileged access. The CPE identifier cpe:2.3:a:azzaroco:ultimate_membership_pro confirms azzaroco as the vendor and the product scope encompasses all versions through 13.7.
RemediationAI
Upgrade Ultimate Membership Pro to version 13.8 or later if available, as version 13.7 is confirmed vulnerable. Verify current plugin version in WordPress admin dashboard under Plugins and check for updates. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-ultimate-membership-pro-plugin-13-7-account-takeover-vulnerability for vendor-confirmed fix version, as the provided data does not include an independently verified patched release. If patch deployment must be delayed, implement immediate compensating controls: restrict WordPress admin panel access to trusted IP addresses via .htaccess or firewall rules; enable two-factor authentication for all user accounts especially those with elevated privileges; monitor authentication logs for unusual login patterns or access from unexpected sources. Note these mitigations reduce but do not eliminate risk, as the alternate authentication path may bypass standard login monitoring. Temporary deactivation of the plugin eliminates vulnerability but breaks membership functionality entirely. Review application logs for indicators of exploitation attempts prior to patching.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15677
GHSA-7q8x-g7w6-4685