CVE-2025-12492 MEDIUM

CVE-2025-12492: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure

Vendor Ultimatemember
Product Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Weakness CWE-200 · Info exposure
Published December 20, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space.

Explanation of Vulnerability in Simple Terms

02Summary

Ultimate Member versions up to 2.11.0 expose sensitive information that can be accessed over the network without authentication. An attacker can retrieve this data directly without needing to log in or interact with a user. The vulnerability affects the plugin's core functionality and may expose user profile data or other protected information.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without logging in.

Potential impact on your site

04Site Impact

User data or other sensitive information may be visible to unauthenticated visitors.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

December 20, 2025 CVE published
April 8, 2026 Record updated