CVE-2025-12492 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-12492?

CVE-2025-12492 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated attackers to extract sensitive user information from WordPress sites using the Ultimate Member plugin. Attackers can enumerate predictable directory IDs or brute-force a small token space to access usernames, display names, user roles (including administrators), profile URLs, and user IDs. All WordPress sites running Ultimate Member plugin versions up to 2.11.0 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to extract sensitive user information from WordPress sites using the Ultimate Member plugin. Attackers can enumerate predictable directory IDs or brute-force a small token space to access usernames, display names, user roles (including administrators), profile URLs, and user IDs. All WordPress sites running Ultimate Member plugin versions up to 2.11.0 are affected.

💻 Affected Systems

Products:

Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress

Versions: All versions up to and including 2.11.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable plugin enabled are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain complete user directory including administrator accounts, enabling targeted phishing, credential stuffing, or privilege escalation attacks.

🟠

Likely Case

Attackers harvest user data for spam campaigns, social engineering, or credential stuffing against other services using the same usernames/emails.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires minimal technical skill - attackers can use simple scripts to enumerate predictable tokens or brute-force the small 16^5 space.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1 or later

Vendor Advisory: https://wordpress.org/plugins/ultimate-member/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.11.1+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the vulnerable ajax_get_members function by modifying plugin files or using WordPress hooks.

Add to theme's functions.php or custom plugin: add_action('wp_ajax_nopriv_um_get_members', '__return_false'); add_action('wp_ajax_um_get_members', '__return_false');

Temporary plugin deactivation

linux

Disable the Ultimate Member plugin until patched version can be installed.

wp plugin deactivate ultimate-member

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /wp-admin/admin-ajax.php with 'action=um_get_members' parameter
Restrict access to admin-ajax.php endpoint using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Ultimate Member → Version number. If version is 2.11.0 or lower, system is vulnerable.

Check Version:

wp plugin get ultimate-member --field=version

Verify Fix Applied:

After updating, verify plugin version shows 2.11.1 or higher. Test the AJAX endpoint with unauthenticated requests to confirm it no longer returns user data.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=um_get_members' parameter
Unusual volume of requests with directory_id parameter values from unauthenticated IPs

Network Indicators:

Bursts of requests to admin-ajax.php endpoint from single IPs
Pattern of sequential or predictable directory_id values in requests

SIEM Query:

source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=um_get_members*" AND user_agent!="*bot*" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-12492

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.07% exploit probability (20th percentile)

Published: December 20, 2025

Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12492, you might also want to check these: