CVE-2025-1702

Vulnerability

Overview

CVE-2025-1702 is a time-based SQL injection vulnerability found in the Ultimate Member plugin for WordPress, affecting all versions up to and including 2.10.0. The flaw exists in the plugin's member directory search functionality, where the 'search' parameter is insufficiently escaped and the underlying SQL query lacks adequate preparation [1]. This allows an attacker to inject malicious SQL code that gets appended to existing queries [2].

Exploitation

Method

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the member directory search endpoint, injecting SQL syntax into the 'search' parameter. Because the plugin does not properly filter or sanitize input, and the query construction does not use prepared statements, the injected payload is executed by the database [2]. The exploit is time-based, meaning the attacker can infer information by observing response delays caused by SQL functions such as SLEEP() [2].

Impact

Successful exploitation enables an attacker to extract sensitive information from the WordPress database, including but not limited to user credentials, password hashes, and other private data stored by the plugin or site. Since the vulnerability is exploitable without authentication, any public-facing installation of the plugin is at risk [1][2].

Mitigation

The vulnerability has been patched in the development branch, as shown by a commit that adds additional SQL injection filters to the prepare_search() method [2]. Users are urged to update Ultimate Member to version 2.10.1 or later as soon as it becomes available. As of the publication date, no evidence of exploitation in the wild has been confirmed, but administrators should apply the patch proactively.