CVE-2025-1702
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks through the 'search' parameter in the Ultimate Member WordPress plugin. Attackers can extract sensitive information from the database by appending malicious SQL queries. All WordPress sites using Ultimate Member plugin versions up to 2.10.0 are affected.
💻 Affected Systems
- Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, personal data, and potentially administrative access to the WordPress site.
Likely Case
Extraction of user data (usernames, emails, hashed passwords) and potentially other sensitive information stored in the database.
If Mitigated
Limited data exposure if database contains minimal sensitive information and proper access controls are in place.
🎯 Exploit Status
Time-based SQL injection requires specialized tools/knowledge but is well-documented attack technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.1 or later
Vendor Advisory: https://wordpress.org/plugins/ultimate-member/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Member Directory Search
allTemporarily disable the search functionality in member directory to block the attack vector.
Navigate to Ultimate Member > Settings > General > Member Directory > Disable 'Enable Search' option
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with SQL injection rules
- Restrict access to member directory pages via .htaccess or similar access controls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Ultimate Member version number. If version is 2.10.0 or lower, system is vulnerable.Check Version:
wp plugin list --name=ultimate-member --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.10.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple rapid requests to member directory with search parameter variations
- Long response times on search requests indicating time-based injection
Network Indicators:
- Unusual patterns of requests to /wp-content/plugins/ultimate-member/ endpoints with search parameters
- SQL syntax in URL parameters
SIEM Query:
source="web_server" AND (url="*ultimate-member*" AND url="*search=*") AND (status=500 OR response_time>5000)🔗 References
- https://github.com/ultimatemember/ultimatemember/pull/1654/commits/74647d42cc8d63f5d4f687efcd0792c246c23039
- https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1775
- https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L1863
- https://plugins.trac.wordpress.org/changeset/3249862/
- https://wordpress.org/plugins/ultimate-member/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c?source=cve
