CVE-2025-0308
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks against WordPress sites using the Ultimate Member plugin. Attackers can extract sensitive information from the database by manipulating search parameters. All WordPress sites using Ultimate Member plugin versions up to 2.9.1 are affected.
💻 Affected Systems
- Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
📦 What is this software?
Ultimate Member by Ultimatemember
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of user data, email addresses, and potentially hashed passwords from the WordPress database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Time-based SQL injection requires specialized tools and knowledge but is well-documented in security communities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3200000%40ultimate-member%2Ftrunk&old=3199999%40ultimate-member%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if available. 5. If no update appears, download version 2.9.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Member Directory Search
allTemporarily disable the search functionality in member directory pages to block the attack vector.
Edit WordPress theme files to remove search forms from member directory templates
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SQL injection patterns in search parameters
- Restrict access to member directory pages using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Ultimate Member version ≤ 2.9.1Check Version:
wp plugin list --name='ultimate-member' --field=versionVerify Fix Applied:
Confirm Ultimate Member plugin version is 2.9.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual long-running database queries from search endpoints
- Multiple sequential requests to /members/ with SQL-like parameters
Network Indicators:
- HTTP requests to member directory with SLEEP(), BENCHMARK(), or WAITFOR DELAY in parameters
- Abnormal response timing patterns from search functionality
SIEM Query:
web.url:*members* AND (web.param:*SLEEP* OR web.param:*BENCHMARK* OR web.param:*WAITFOR*)