Ultimatemember
by WordPress
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6944 | Med | 0.40 | 6.1 | 0.01 | Feb 16, 2018 | core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable. | ||
| CVE-2018-6943 | Med | 0.40 | 6.1 | 0.01 | Feb 16, 2018 | core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable. | ||
| CVE-2015-8354 | Med | 0.40 | 6.1 | 0.02 | Sep 11, 2017 | Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php. | ||
| CVE-2020-37169 | Med | 0.36 | 5.5 | 0.00 | May 13, 2026 | WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to… | ||
| CVE-2025-47691 | Med | 0.36 | 5.5 | 0.00 | May 7, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3. | ||
| CVE-2025-15064 | Med | 0.35 | 6.4 | 0.00 | Apr 4, 2026 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient… | ||
| CVE-2025-13217 | Med | 0.35 | 6.4 | 0.00 | Dec 17, 2025 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to… | ||
| CVE-2024-8519 | Med | 0.35 | 6.4 | 0.00 | Oct 4, 2024 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to… | ||
| CVE-2021-24306 | Med | 0.35 | 5.4 | 0.01 | May 24, 2021 | The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site… | ||
| CVE-2019-14947 | Med | 0.35 | 5.4 | 0.01 | Aug 12, 2019 | The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. | ||
| CVE-2019-14946 | Med | 0.35 | 5.4 | 0.01 | Aug 12, 2019 | The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. | ||
| CVE-2019-14945 | Med | 0.35 | 5.4 | 0.01 | Aug 12, 2019 | The ultimate-member plugin before 2.0.54 for WordPress has XSS. | ||
| CVE-2026-1404 | Med | 0.33 | 6.1 | 0.00 | Feb 18, 2026 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,… | ||
| CVE-2018-20965 | Med | 0.33 | 6.1 | 0.01 | Aug 12, 2019 | The ultimate-member plugin before 2.0.4 for WordPress has XSS. | ||
| CVE-2016-10872 | Med | 0.33 | 6.1 | 0.01 | Aug 12, 2019 | The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form. | ||
| CVE-2018-10234 | Med | 0.31 | 4.8 | 0.01 | Apr 23, 2018 | Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page. | ||
| CVE-2024-2765 | Med | 0.28 | 5.4 | 0.01 | May 2, 2024 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to… | ||
| CVE-2023-31216 | Med | 0.28 | 4.3 | 0.00 | Jul 17, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. | ||
| CVE-2022-3361 | Med | 0.28 | 4.3 | 0.02 | Nov 29, 2022 | The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply… | ||
| CVE-2022-1209 | Med | 0.28 | 4.3 | 0.01 | May 10, 2022 | The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1. |
- risk 0.40cvss 6.1epss 0.01
core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.
- risk 0.40cvss 6.1epss 0.01
core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php.
- risk 0.36cvss 5.5epss 0.00
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to…
- risk 0.36cvss 5.5epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.
- risk 0.35cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient…
- risk 0.35cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to…
- risk 0.35cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to…
- risk 0.35cvss 5.4epss 0.01
The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site…
- risk 0.35cvss 5.4epss 0.01
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
- risk 0.35cvss 5.4epss 0.01
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.
- risk 0.35cvss 5.4epss 0.01
The ultimate-member plugin before 2.0.54 for WordPress has XSS.
- risk 0.33cvss 6.1epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,…
- risk 0.33cvss 6.1epss 0.01
The ultimate-member plugin before 2.0.4 for WordPress has XSS.
- risk 0.33cvss 6.1epss 0.01
The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.
- risk 0.31cvss 4.8epss 0.01
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page.
- risk 0.28cvss 5.4epss 0.01
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to…
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions.
- risk 0.28cvss 4.3epss 0.02
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply…
- risk 0.28cvss 4.3epss 0.01
The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.
Page 2 of 3