CVE-2025-47691

Vulnerability

Overview

The Ultimate Member plugin for WordPress, versions 2.10.3 and earlier, contains a code injection vulnerability due to improper control of code generation. This allows an attacker to inject arbitrary PHP code through unsanitized user input [1].

Exploitation

The vulnerability can be exploited remotely without authentication. An attacker sends specially crafted requests to the plugin's endpoints, bypassing input validation to inject code that gets executed on the server. No special privileges or network position is required beyond access to the WordPress site [1].

Impact

Successful exploitation leads to arbitrary code execution, giving the attacker full control over the affected WordPress site. This can result in data theft, site defacement, malware distribution, and further compromise of the server. The vulnerability is actively used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released a patched version. Users should update Ultimate Member to version 2.10.4 or later immediately. If updating is not possible, consult with a hosting provider or security professional for temporary workarounds [1].