Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-1702

CVE-2025-1702: Ultimate Member WordPress Plugin SQLi Flaw

CVE-2025-1702 is a time-based SQL injection vulnerability in the Ultimate Member WordPress plugin that allows unauthenticated attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-1702 Overview

CVE-2025-1702 is a time-based SQL injection vulnerability in the Ultimate Member plugin for WordPress. The plugin provides user profile, registration, login, member directory, content restriction, and membership functionality. The flaw affects all versions up to and including 2.10.0 and resides in the handling of the search parameter within the member directory component. Insufficient escaping of user-supplied input and inadequate query preparation allow unauthenticated attackers to append SQL queries to existing statements. Successful exploitation enables extraction of sensitive database information, including credentials, session tokens, and personal data of registered users.

Critical Impact

Unauthenticated attackers can exfiltrate sensitive database contents from any WordPress site running Ultimate Member version 2.10.0 or earlier through time-based SQL injection in the member directory search functionality.

Affected Products

  • Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
  • All versions up to and including 2.10.0
  • WordPress installations exposing the member directory feature

Discovery Timeline

  • 2025-03-05 - CVE-2025-1702 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-1702

Vulnerability Analysis

The vulnerability is classified as SQL Injection under [CWE-89]. It is a time-based blind variant, meaning attackers infer data by measuring server response delays triggered by injected conditional statements such as SLEEP() or BENCHMARK(). The attack vector is network-based and requires no authentication or user interaction.

The flaw exists in the member directory module of the Ultimate Member plugin. The search request parameter flows into an SQL query that builds member listings without sufficient sanitization or parameter binding. References to the vulnerable code paths are documented in the WordPress Plugin Source Code at line 1775 and line 1863.

The EPSS score is 0.914% with a 76th percentile ranking, indicating elevated exploitation likelihood relative to most CVEs. The plugin is installed on a large WordPress user base, which expands the exploitable attack surface.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command. The search parameter is concatenated into the SQL statement without invoking $wpdb->prepare() with parameterized placeholders. The fix applied in Pull Request 1654 introduces proper escaping and statement preparation, as recorded in changeset 3249862.

Attack Vector

An unauthenticated remote attacker submits a crafted HTTP request to the member directory endpoint with a malicious search parameter. The injected payload appends a conditional time-delay primitive to the existing query. By observing whether responses are delayed, the attacker reconstructs database contents one bit at a time. Targets include wp_users password hashes, session tokens stored in wp_usermeta, and any custom data tables.

The vulnerability is described in the Wordfence Vulnerability Report. No public proof-of-concept code has been released at this time.

Detection Methods for CVE-2025-1702

Indicators of Compromise

  • HTTP requests to member directory endpoints containing SQL keywords such as SLEEP, BENCHMARK, UNION, SELECT, or IF( within the search parameter
  • Web server access logs showing repeated requests to /wp-admin/admin-ajax.php with action=um_get_members and unusually long response times
  • Outbound database queries from the web server exhibiting prolonged execution durations correlated with directory search requests
  • Spikes in 200-status responses to member directory URLs from a single source IP over short time windows

Detection Strategies

  • Inspect WordPress access logs for URL-encoded SQL metacharacters in query strings targeting Ultimate Member endpoints
  • Enable MySQL slow query logging and review for queries originating from member directory functions with embedded SLEEP or BENCHMARK calls
  • Deploy web application firewall rules that flag SQL injection signatures on parameters named search against Ultimate Member routes
  • Correlate request timing anomalies with source IP reputation to identify automated exploitation attempts

Monitoring Recommendations

  • Track plugin version inventory across WordPress installations and alert on any host running Ultimate Member 2.10.0 or earlier
  • Monitor authentication-related tables for unexpected read patterns or bulk data access
  • Establish baselines for member directory request volume and alert on deviations consistent with blind SQL injection enumeration

How to Mitigate CVE-2025-1702

Immediate Actions Required

  • Update the Ultimate Member plugin to a version later than 2.10.0 that contains the fix from changeset 3249862
  • Audit web server and database logs for prior exploitation indicators dating back to the plugin's introduction of the vulnerable code
  • Rotate WordPress administrator credentials, API keys, and any secrets stored in the database if exploitation is suspected
  • Force password resets for all registered users if database access cannot be ruled out

Patch Information

The vendor remediated the vulnerability via Pull Request 1654 on GitHub and committed the change to the WordPress plugin repository in changeset 3249862. Administrators should install the latest release available from the Ultimate Member Developer Page.

Workarounds

  • Disable the member directory feature in Ultimate Member settings until the patched version is deployed
  • Restrict access to member directory pages using server-level access controls or authentication requirements
  • Deploy a web application firewall rule that blocks SQL metacharacters in the search parameter on Ultimate Member endpoints
  • Place the WordPress site behind a reverse proxy that performs SQL injection signature inspection
bash
# Example WAF rule blocking SQL injection patterns in the search parameter
# ModSecurity rule for Ultimate Member member directory endpoint
SecRule REQUEST_URI "@contains um_get_members" \
    "chain,phase:2,deny,status:403,id:1000170,\
    msg:'CVE-2025-1702 Ultimate Member SQLi attempt'"
SecRule ARGS:search "@rx (?i)(sleep|benchmark|union|select|\bif\s*\()" \
    "t:none,t:urlDecode"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne