CVE-2025-0318
📋 TL;DR
The Ultimate Member WordPress plugin versions up to 2.9.1 leak sensitive user metadata through error messages. Unauthenticated attackers can extract data from the wp_usermeta table, potentially exposing personal information. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
📦 What is this software?
Ultimate Member by Ultimatemember
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all wp_usermeta data including email addresses, phone numbers, addresses, and custom user fields, leading to privacy violations and potential identity theft.
Likely Case
Attackers harvest email addresses and basic user metadata for spam campaigns, phishing attempts, or credential stuffing attacks.
If Mitigated
Limited exposure of non-sensitive metadata with proper web application firewalls and monitoring detecting unusual error message patterns.
🎯 Exploit Status
Exploitation involves sending crafted requests to trigger specific error responses that leak data. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.2 or later
Vendor Advisory: https://wordpress.org/plugins/ultimate-member/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.9.2+ from WordPress.org and manually replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Ultimate Member plugin until patched to prevent exploitation.
wp plugin deactivate ultimate-member
Web Application Firewall Rule
allBlock requests that trigger the specific error messages leaking data.
🧯 If You Can't Patch
- Implement rate limiting on WordPress endpoints to slow down data exfiltration attempts
- Deploy a web application firewall (WAF) with rules to block requests triggering information disclosure errors
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Ultimate Member version. If version is 2.9.1 or lower, you are vulnerable.Check Version:
wp plugin get ultimate-member --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.9.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to Ultimate Member endpoints returning error messages
- Patterns of failed authentication attempts with specific error responses
Network Indicators:
- Multiple rapid requests to /wp-json/um/* or /wp-admin/admin-ajax.php?action=um_* endpoints from single IPs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/um/*" OR uri_path="/wp-admin/admin-ajax.php") AND status>=400 | stats count by src_ip