VYPR

Ultimatemember

by WordPress

Source repositories

CVEs (54)

  • CVE-2020-36170MedJan 6, 2021
    risk 0.28cvss 5.3epss 0.01

    The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms.

  • CVE-2019-10271MedJun 24, 2019
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures…

  • CVE-2018-0590MedMay 14, 2018
    risk 0.28cvss 4.3epss 0.01

    Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.

  • CVE-2018-0589MedMay 14, 2018
    risk 0.28cvss 4.3epss 0.01

    Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.

  • CVE-2018-0587MedMay 14, 2018
    risk 0.28cvss 4.3epss 0.01

    Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.

  • CVE-2018-0586MedMay 14, 2018
    risk 0.28cvss 4.3epss 0.02

    Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.

  • CVE-2018-0585MedMay 14, 2018
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2024-12276MedFeb 21, 2025
    risk 0.27cvss 5.3epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection via filenames in all versions up to, and including, 2.9.2 due to insufficient escaping on the…

  • CVE-2025-0318MedJan 18, 2025
    risk 0.27cvss 5.3epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This…

  • CVE-2024-8520MedOct 4, 2024
    risk 0.27cvss 5.3epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation…

  • CVE-2025-14081MedDec 17, 2025
    risk 0.21cvss 4.3epss 0.00

    The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is…

  • CVE-2024-10528MedNov 21, 2024
    risk 0.21cvss 4.3epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and…

  • CVE-2026-7761Jun 24, 2026
    risk 0.00cvss epss 0.01

    The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be…

  • CVE-2020-6859MedJan 13, 2020
    risk 0.00cvss 5.3epss 0.02

    Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to…

Page 3 of 3