Skip to main content

Ultimate Member WordPress Plugin Unauthenticated Blind SQL Injection Exposes Database Contents (CVE-2026-15290)

Scope: Ultimate Member WordPress Plugin Versions up to and Including 2.10.1

Severity: Red

A critical unauthenticated blind SQL injection vulnerability in the Ultimate Member plugin's Member Directory search parameter, first partially addressed in version 2.9.2 as CVE-2025-0308 but insufficiently remediated, allows any unauthenticated attacker to append arbitrary SQL queries into existing database operations and enumerate the entire WordPress database through time-based blind injection techniques. Ultimate Member is one of the most widely deployed WordPress membership plugins with over 200,000 active installations, meaning successful exploitation against unpatched sites can expose user credentials, password hashes, PII, email addresses, session tokens, and any other data stored in the WordPress database. Administrators must update to Ultimate Member version 2.10.2 or later immediately, deploy WAF rules to block SQL metacharacters in search parameters, and rotate database and administrator credentials if exploitation is suspected.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.