What the vulnerability does
01Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Explanation of Vulnerability in Simple Terms
02Summary
Ultimate Membership Pro versions 13.7 and earlier contain an authentication bypass vulnerability. An attacker can exploit this flaw over the network without authentication to gain unauthorized access to the system. The vulnerability allows reading sensitive data, modifying content, and disrupting service availability. Site administrators should update to a version newer than 13.7 immediately.
What an attacker can do
03Attacker Capabilities
Bypass authentication and read sensitive data, modify content, or disrupt the site without logging in.
Potential impact on your site
04Site Impact
Unauthorized users can access member data, modify site content, and cause service outages without needing valid credentials.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 25, 2026
CVE published
April 28, 2026
Record updated