The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The vulnerability results from insufficient escaping of user-supplied data in the 'sorting' parameter and lack of proper preparation of the existing SQL query. An attacker without any authentication can inject additional SQL fragments into existing queries (SQL Injection technique). The vulnerability is located in the 'class-member-directory-meta.php' file, which is responsible for handling the user directory.
An unauthenticated attacker can extract any sensitive information from the WordPress database, including user data, passwords (hashes), session tokens, and other confidential information stored in the database. Depending on server configuration, further compromise of system integrity and availability is also possible.
The Ultimate Member plugin should be updated to a version higher than 2.8.2, which includes the fix (changeset 3038036). The patch is available in the official WordPress repository. If immediate update is not possible, consider temporarily disabling the plugin until the patch is deployed.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress in versions from 2.1.3 to 2.8.2 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUltimatemember Ultimate Member
APPUltimatemember2.1.3 – 2.8.3 (bez)
Related vulnerabilities
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with a...
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege...
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privile...
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privile...
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pl...