Skip to main content

Ultimate Member

32 CVEs product

Monthly

CVE-2026-11766 HIGH POC PATCH This Week

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.

WordPress Information Disclosure Ultimate Member
NVD WPScan VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-39659 MEDIUM This Month

Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.

Authentication Bypass Ultimate Member
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-12276 MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection via filenames in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

WordPress SQLi Ultimate Member
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-0318 MEDIUM This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Ultimate Member PHP
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-0308 HIGH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi Ultimate Member PHP
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-10528 MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Ultimate Member
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2024-8520 MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Ultimate Member
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-8519 MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Ultimate Member
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-2765 MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Ultimate Member
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-1071 CRITICAL POC PATCH THREAT Act Now

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi WordPress Ultimate Member
NVD GitHub
CVSS 3.1
9.8
EPSS
89.4%
CVE-2024-2123 HIGH PATCH Act Now

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.6%.

XSS WordPress Ultimate Member
NVD VulDB
CVSS 3.1
7.2
EPSS
29.6%
CVE-2023-31216 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Ultimate Member
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2023-3460 CRITICAL POC THREAT Act Now

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Ultimate Member
NVD WPScan Exploit-DB
CVSS 3.1
9.8
EPSS
72.3%
CVE-2022-3384 HIGH POC PATCH THREAT Act Now

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 38.4%.

WordPress PHP RCE Code Injection Ultimate Member
NVD VulDB GitHub
CVSS 3.1
7.2
EPSS
38.4%
Threat
4.1
CVE-2022-3383 HIGH POC PATCH THREAT Act Now

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 34.9%.

WordPress RCE Code Injection Ultimate Member
NVD VulDB GitHub
CVSS 3.1
7.2
EPSS
34.9%
Threat
4.0
CVE-2022-3361 MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Path Traversal RCE Ultimate Member
NVD VulDB GitHub
CVSS 3.1
4.3
EPSS
5.9%
CVE-2022-3966 HIGH PATCH This Week

A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0.php of the component Template Handler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal PHP Ultimate Member
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-1208 MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Ultimate Member
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2022-1209 MEDIUM POC This Month

The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Open Redirect Ultimate Member
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2021-24306 MEDIUM POC This Month

The Ultimate Member - User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ultimate Member
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-6859 MEDIUM PATCH This Month

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass PHP Ultimate Member
NVD GitHub
CVSS 3.1
5.3
EPSS
2.2%
CVE-2019-14947 MEDIUM POC This Month

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2019-14946 MEDIUM POC This Month

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
CVSS 3.0
5.4
EPSS
0.8%
CVE-2019-14945 MEDIUM POC This Month

The ultimate-member plugin before 2.0.54 for WordPress has XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2019-10271 MEDIUM This Month

An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Ultimate Member
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2019-10270 HIGH POC This Week

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress Ultimate Member
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-10673 HIGH POC This Week

A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE CSRF Ultimate Member
NVD
CVSS 3.0
8.8
EPSS
1.8%
CVE-2018-17866 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Ultimate Member
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2018-13136 MEDIUM This Month

The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Ultimate Member
NVD GitHub
CVSS 3.0
6.1
EPSS
1.5%
CVE-2018-0585 MEDIUM This Month

Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Ultimate Member
NVD
CVSS 3.0
5.4
EPSS
1.0%
CVE-2018-6944 MEDIUM POC This Month

core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Ultimate Member
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2015-8354 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP Ultimate Member
NVD
CVSS 3.0
6.1
EPSS
0.5%
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.

WordPress Information Disclosure Ultimate Member
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.

Authentication Bypass Ultimate Member
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection via filenames in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

WordPress SQLi Ultimate Member
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Ultimate Member +1
NVD
EPSS 1% CVSS 7.5
HIGH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi Ultimate Member +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Ultimate Member
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Ultimate Member
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Ultimate Member
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Ultimate Member
NVD GitHub
EPSS 89% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi WordPress Ultimate Member
NVD GitHub
EPSS 30% CVSS 7.2
HIGH PATCH Act Now

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.6%.

XSS WordPress Ultimate Member
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Ultimate Member
NVD
EPSS 72% CVSS 9.8
CRITICAL POC THREAT Act Now

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Ultimate Member
NVD WPScan Exploit-DB
EPSS 38% 4.1 CVSS 7.2
HIGH POC PATCH THREAT Act Now

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 38.4%.

WordPress PHP RCE +2
NVD VulDB GitHub
EPSS 35% 4.0 CVSS 7.2
HIGH POC PATCH THREAT Act Now

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 34.9%.

WordPress RCE Code Injection +1
NVD VulDB GitHub
EPSS 6% CVSS 4.3
MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Path Traversal +2
NVD VulDB GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0.php of the component Template Handler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal PHP Ultimate Member
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Ultimate Member
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Open Redirect Ultimate Member
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Ultimate Member - User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ultimate Member
NVD WPScan
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass PHP +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The ultimate-member plugin before 2.0.54 for WordPress has XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ultimate Member
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Ultimate Member
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress Ultimate Member
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE CSRF +1
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Ultimate Member
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Ultimate Member
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy