VYPR

Ultimatemember

by WordPress

Source repositories

CVEs (54)

  • CVE-2018-6944MedFeb 16, 2018
    risk 0.40cvss 6.1epss 0.01

    core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

  • CVE-2018-6943MedFeb 16, 2018
    risk 0.40cvss 6.1epss 0.01

    core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

  • CVE-2015-8354MedSep 11, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php.

  • CVE-2020-37169MedMay 13, 2026
    risk 0.36cvss 5.5epss 0.00

    WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to…

  • CVE-2025-47691MedMay 7, 2025
    risk 0.36cvss 5.5epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.

  • CVE-2025-15064MedApr 4, 2026
    risk 0.35cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient…

  • CVE-2025-13217MedDec 17, 2025
    risk 0.35cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to…

  • CVE-2024-8519MedOct 4, 2024
    risk 0.35cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to…

  • CVE-2021-24306MedMay 24, 2021
    risk 0.35cvss 5.4epss 0.01

    The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site…

  • CVE-2019-14947MedAug 12, 2019
    risk 0.35cvss 5.4epss 0.01

    The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

  • CVE-2019-14946MedAug 12, 2019
    risk 0.35cvss 5.4epss 0.01

    The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

  • CVE-2019-14945MedAug 12, 2019
    risk 0.35cvss 5.4epss 0.01

    The ultimate-member plugin before 2.0.54 for WordPress has XSS.

  • CVE-2026-1404MedFeb 18, 2026
    risk 0.33cvss 6.1epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,…

  • CVE-2018-20965MedAug 12, 2019
    risk 0.33cvss 6.1epss 0.01

    The ultimate-member plugin before 2.0.4 for WordPress has XSS.

  • CVE-2016-10872MedAug 12, 2019
    risk 0.33cvss 6.1epss 0.01

    The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

  • CVE-2018-10234MedApr 23, 2018
    risk 0.31cvss 4.8epss 0.01

    Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.

  • CVE-2024-2765MedMay 2, 2024
    risk 0.28cvss 5.4epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to…

  • CVE-2023-31216MedJul 17, 2023
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions.

  • CVE-2022-3361MedNov 29, 2022
    risk 0.28cvss 4.3epss 0.02

    The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply…

  • CVE-2022-1209MedMay 10, 2022
    risk 0.28cvss 4.3epss 0.01

    The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.