Ultimatemember Ultimate Member — known CVE vulnerabilities
Every CVE whose affected-product data names Ultimatemember Ultimate Member, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (37)
CVE-2020-36157 — CVSS 10.0 (critical): An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Roles…
CVE-2020-36155 — CVSS 10.0 (critical): An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta…
CVE-2020-36156 — CVSS 9.9 (critical): An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile…
CVE-2023-3460 — CVSS 9.8 (critical): The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities…
CVE-2024-1071 — CVSS 9.8 (critical): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2019-10673 — CVSS 8.8 (high): A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to…
CVE-2019-10270 — CVSS 8.8 (high): An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of…
CVE-2025-0308 — CVSS 7.5 (high): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2022-3384 — CVSS 7.2 (high): The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the…
CVE-2022-3383 — CVSS 7.2 (high): The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the…
CVE-2024-2123 — CVSS 7.2 (high): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2022-1208 — CVSS 6.4 (medium): The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user…
CVE-2024-8519 — CVSS 6.4 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2018-13136 — CVSS 6.1 (medium): The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.
CVE-2015-8354 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to…
CVE-2018-6944 — CVSS 6.1 (medium): core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails…
CVE-2018-17866 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile &…
CVE-2024-2765 — CVSS 5.4 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2018-0585 — CVSS 5.4 (medium): Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject…
CVE-2021-24306 — CVSS 5.4 (medium): The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly…
CVE-2025-0318 — CVSS 5.3 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2020-36170 — CVSS 5.3 (medium): The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms.
CVE-2020-6859 — CVSS 5.3 (medium): Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for…
CVE-2024-12276 — CVSS 5.3 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2024-8520 — CVSS 5.3 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2022-3966 — CVSS 4.3 (medium): A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0. This issue affects the function…
CVE-2022-3361 — CVSS 4.3 (medium): The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient…
CVE-2019-10271 — CVSS 4.3 (medium): An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It…
CVE-2024-10528 — CVSS 4.3 (medium): The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress…
CVE-2022-1209 — CVSS 4.3 (medium): The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social…