VYPR

Vendor CVEs

Ultimatemember

All CVEs

31 total · sorted by risk
  • CVE-2024-54367CriDec 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0.

  • CVE-2024-8428HigSep 6, 2024
    risk 0.50cvss 8.8epss 0.00

    The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key.…

  • CVE-2022-3384HigNov 29, 2022
    risk 0.50cvss 7.2epss 0.03

    The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP…

  • CVE-2022-3383HigNov 29, 2022
    risk 0.50cvss 7.2epss 0.03

    The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for…

  • CVE-2026-4248HigMar 27, 2026
    risk 0.45cvss 8.0epss 0.00

    The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which…

  • CVE-2025-13220MedDec 21, 2025
    risk 0.42cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to…

  • CVE-2025-1702HigMar 5, 2025
    risk 0.42cvss 7.5epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient…

  • CVE-2024-2123HigMar 13, 2024
    risk 0.42cvss 7.2epss 0.27

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input…

  • CVE-2022-1208MedJun 13, 2022
    risk 0.42cvss 6.4epss 0.01

    The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding…

  • CVE-2018-13136MedJul 4, 2018
    risk 0.40cvss 6.1epss 0.01

    The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.

  • CVE-2018-6944MedFeb 16, 2018
    risk 0.40cvss 6.1epss 0.01

    core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

  • CVE-2015-8354MedSep 11, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php.

  • CVE-2025-47691MedMay 7, 2025
    risk 0.36cvss 5.5epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.

  • CVE-2025-15064MedApr 4, 2026
    risk 0.35cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient…

  • CVE-2025-13217MedDec 17, 2025
    risk 0.35cvss 6.4epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to…

  • CVE-2023-23715MedDec 9, 2024
    risk 0.34cvss 5.2epss 0.01

    Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2.

  • CVE-2026-1404MedFeb 18, 2026
    risk 0.33cvss 6.1epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including,…

  • CVE-2024-11204MedDec 6, 2024
    risk 0.33cvss 6.1epss 0.00

    The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2024-10879MedDec 6, 2024
    risk 0.33cvss 6.1epss 0.00

    The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for…

  • CVE-2022-3361MedNov 29, 2022
    risk 0.29cvss 4.3epss 0.02

    The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply…

  • CVE-2025-67474MedDec 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.

  • CVE-2024-2765MedMay 2, 2024
    risk 0.28cvss 5.4epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to…

  • CVE-2022-1209MedMay 10, 2022
    risk 0.28cvss 4.3epss 0.01

    The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1.

  • CVE-2025-14081MedDec 17, 2025
    risk 0.21cvss 4.3epss 0.00

    The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is…

  • CVE-2024-12276Feb 21, 2025
    risk 0.00cvss epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection via filenames in all versions up to, and including, 2.9.2 due to insufficient escaping on the…

  • CVE-2025-0308Jan 18, 2025
    risk 0.00cvss epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping…

  • CVE-2025-0318Jan 18, 2025
    risk 0.00cvss epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This…

  • CVE-2024-10880Nov 23, 2024
    risk 0.00cvss epss 0.00

    The JobBoardWP – Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it…

  • CVE-2024-10528Nov 21, 2024
    risk 0.00cvss epss 0.01

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and…

  • CVE-2024-8519Oct 4, 2024
    risk 0.00cvss epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to…

  • CVE-2024-8520Oct 4, 2024
    risk 0.00cvss epss 0.00

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation…