Ultimatemember
Products
3- 24 CVEs
- 5 CVEs
- 2 CVEs
Recent CVEs
31| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-54367 | Cri | 0.64 | 9.8 | 0.01 | Dec 16, 2024 | Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0. | ||
| CVE-2024-8428 | Hig | 0.50 | 8.8 | 0.00 | Sep 6, 2024 | The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key.… | ||
| CVE-2022-3384 | Hig | 0.50 | 7.2 | 0.03 | Nov 29, 2022 | The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP… | ||
| CVE-2022-3383 | Hig | 0.50 | 7.2 | 0.03 | Nov 29, 2022 | The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for… | ||
| CVE-2026-4248 | Hig | 0.45 | 8.0 | 0.00 | Mar 27, 2026 | The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which… | ||
| CVE-2025-13220 | Med | 0.42 | 6.4 | 0.00 | Dec 21, 2025 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to… | ||
| CVE-2025-1702 | Hig | 0.42 | 7.5 | 0.01 | Mar 5, 2025 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient… | ||
| CVE-2024-2123 | Hig | 0.42 | 7.2 | 0.27 | Mar 13, 2024 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input… | ||
| CVE-2022-1208 | Med | 0.42 | 6.4 | 0.01 | Jun 13, 2022 | The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding… | ||
| CVE-2018-13136 | Med | 0.40 | 6.1 | 0.01 | Jul 4, 2018 | The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. | ||
| CVE-2018-6944 | Med | 0.40 | 6.1 | 0.01 | Feb 16, 2018 | core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable. | ||
| CVE-2015-8354 | Med | 0.40 | 6.1 | 0.02 | Sep 11, 2017 | Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php. | ||
| CVE-2025-47691 | Med | 0.36 | 5.5 | 0.00 | May 7, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3. | ||
| CVE-2025-15064 | Med | 0.35 | 6.4 | 0.00 | Apr 4, 2026 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient… | ||
| CVE-2025-13217 | Med | 0.35 | 6.4 | 0.00 | Dec 17, 2025 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to… | ||
| CVE-2023-23715 | Med | 0.34 | 5.2 | 0.01 | Dec 9, 2024 | Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2. | ||
| CVE-2026-1404 | Med | 0.33 | 6.1 | 0.00 | Feb 18, 2026 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,… | ||
| CVE-2024-11204 | Med | 0.33 | 6.1 | 0.00 | Dec 6, 2024 | The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2024-10879 | Med | 0.33 | 6.1 | 0.00 | Dec 6, 2024 | The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for… | ||
| CVE-2022-3361 | Med | 0.29 | 4.3 | 0.02 | Nov 29, 2022 | The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply… |
- risk 0.64cvss 9.8epss 0.01
Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0.
- risk 0.50cvss 8.8epss 0.00
The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key.…
- risk 0.50cvss 7.2epss 0.03
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP…
- risk 0.50cvss 7.2epss 0.03
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for…
- risk 0.45cvss 8.0epss 0.00
The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which…
- risk 0.42cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to…
- risk 0.42cvss 7.5epss 0.01
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient…
- risk 0.42cvss 7.2epss 0.27
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input…
- risk 0.42cvss 6.4epss 0.01
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding…
- risk 0.40cvss 6.1epss 0.01
The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.
- risk 0.40cvss 6.1epss 0.01
core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php.
- risk 0.36cvss 5.5epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.
- risk 0.35cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient…
- risk 0.35cvss 6.4epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to…
- risk 0.34cvss 5.2epss 0.01
Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2.
- risk 0.33cvss 6.1epss 0.00
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,…
- risk 0.33cvss 6.1epss 0.00
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.33cvss 6.1epss 0.00
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for…
- risk 0.29cvss 4.3epss 0.02
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply…