CVE-2025-12778
📋 TL;DR
This vulnerability allows unauthenticated attackers to extract partial metadata of all WordPress users, including first names, last names, and email addresses, from sites using the Ultimate Member Widgets for Elementor plugin. It affects all WordPress installations with this plugin installed, regardless of user roles or authentication status.
💻 Affected Systems
- Ultimate Member Widgets for Elementor – WordPress User Directory
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all user PII (names and emails) leading to targeted phishing, credential stuffing attacks, and privacy violations.
Likely Case
Attackers harvest email addresses for spam campaigns and targeted phishing against site users.
If Mitigated
Limited exposure if plugin is patched immediately or disabled before exploitation.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint without authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Ultimate Member Widgets for Elementor'. 4. Click 'Update Now' if available, or manually update to version 2.4+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched version is available.
wp plugin deactivate ultimate-member-widgets-for-elementor
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint.
- Restrict access to the plugin's admin functions using IP whitelisting if possible.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.3 or lower, system is vulnerable.Check Version:
wp plugin get ultimate-member-widgets-for-elementor --field=versionVerify Fix Applied:
Confirm plugin version is 2.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to /wp-admin/admin-ajax.php with action=handle_filter_users from unauthenticated IPs
Network Indicators:
- HTTP POST requests to admin-ajax.php with suspicious user data extraction patterns
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "handle_filter_users" AND status=200 AND auth="-"