CVE-2025-0318

Published: Jan 18, 2025Modified: Feb 25, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table.

Affected (1)

Products: Ultimatemember: Ultimate Member

1 product

Ultimate Member

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ultimatemember Ultimate Member	Before 2.9.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.9.1/includes/core/um-actions-form.php#L944

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/4ee149bf-ffa3-4906-8be2-9c3c40b28287?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.