CVE-2022-3383 HIGH

CVE-2022-3383: Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select

Vendor Ultimatemember
Product Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Weakness CWE-94 · Code injection
Published November 29, 2022
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

Key dates

02Disclosure timeline

November 29, 2022 CVE published
April 8, 2026 Record updated