CVE-2025-0318: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table.
AI Analysis
Technical Summary
The Ultimate Member plugin for WordPress, up to version 2.9.1, is vulnerable to an information exposure issue (CWE-200) due to error message differences in responses. This flaw enables unauthenticated attackers to exfiltrate data from the wp_usermeta table, potentially revealing sensitive user information. The vulnerability is network exploitable without privileges or user interaction and affects confidentiality only. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can gain unauthorized access to sensitive user metadata stored in the WordPress database, specifically the wp_usermeta table. This exposure could lead to privacy violations or aid in further attacks that rely on user information. There is no impact on data integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider restricting access to error messages and database information through web server or application-level controls to limit information leakage.
CVE-2025-0318: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Ultimate Member plugin for WordPress, up to version 2.9.1, is vulnerable to an information exposure issue (CWE-200) due to error message differences in responses. This flaw enables unauthenticated attackers to exfiltrate data from the wp_usermeta table, potentially revealing sensitive user information. The vulnerability is network exploitable without privileges or user interaction and affects confidentiality only. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can gain unauthorized access to sensitive user metadata stored in the WordPress database, specifically the wp_usermeta table. This exposure could lead to privacy violations or aid in further attacks that rely on user information. There is no impact on data integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider restricting access to error messages and database information through web server or application-level controls to limit information leakage.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-07T22:50:30.349Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b67b7ef31ef0b55511f
Added to database: 2/25/2026, 9:36:39 PM
Last enriched: 4/9/2026, 3:40:25 PM
Last updated: 4/12/2026, 9:29:30 AM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.