CVE-2025-47691 MEDIUM

CVE-2025-47691: WordPress Ultimate Member plugin <= 2.10.3 - Arbitrary Function Call vulnerability

Vendor Ultimate Member
Product Ultimate Member
Weakness CWE-94 · Code injection
Published May 7, 2025
Last update April 28, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.

Explanation of Vulnerability in Simple Terms

02Summary

Ultimate Member versions up to 2.10.3 contain a code injection vulnerability in how they process user input. An attacker with high-level privileges can inject and execute arbitrary code on the site. The vulnerability requires specific conditions to exploit and affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Inject and execute arbitrary code on the site with high-level account privileges.

Potential impact on your site

04Site Impact

A compromised admin account could allow code execution affecting site data, functionality, and availability.

Conditions required to exploit

05Prerequisites

Attacker must have high-level privileges (admin or equivalent) and network access to the site.

Key dates

06Disclosure timeline

May 7, 2025 CVE published
April 28, 2026 Record updated