CVE-2025-14081: CWE-863 Incorrect Authorization in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.
AI Analysis
Technical Summary
The Ultimate Member plugin for WordPress contains an authorization flaw (CWE-863) in its profile privacy settings mechanism. Specifically, field keys are added to the allowed fields list prior to enforcing the `required_perm` check during rendering. This logic error permits authenticated attackers with Subscriber privileges to alter their profile privacy settings, such as setting their profile visibility to "Only me," despite administrative restrictions. The vulnerability affects all versions up to and including 2.11.0 and has a CVSS 3.1 base score of 4.3 (medium severity).
Potential Impact
An attacker with Subscriber-level access can bypass administrative restrictions on profile privacy settings by directly manipulating parameters. This could allow users to conceal their profiles contrary to configured policies, potentially impacting visibility and content restriction controls. There is no indication of confidentiality, availability, or higher integrity impacts beyond the limited profile privacy setting modification.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or remediation guidance is provided in the available data. Users should monitor the vendor's advisory for updates and apply any official fixes once released. Until then, consider restricting Subscriber-level permissions or monitoring for suspicious profile privacy changes as a temporary mitigation.
CVE-2025-14081: CWE-863 Incorrect Authorization in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Description
The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Ultimate Member plugin for WordPress contains an authorization flaw (CWE-863) in its profile privacy settings mechanism. Specifically, field keys are added to the allowed fields list prior to enforcing the `required_perm` check during rendering. This logic error permits authenticated attackers with Subscriber privileges to alter their profile privacy settings, such as setting their profile visibility to "Only me," despite administrative restrictions. The vulnerability affects all versions up to and including 2.11.0 and has a CVSS 3.1 base score of 4.3 (medium severity).
Potential Impact
An attacker with Subscriber-level access can bypass administrative restrictions on profile privacy settings by directly manipulating parameters. This could allow users to conceal their profiles contrary to configured policies, potentially impacting visibility and content restriction controls. There is no indication of confidentiality, availability, or higher integrity impacts beyond the limited profile privacy setting modification.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or remediation guidance is provided in the available data. Users should monitor the vendor's advisory for updates and apply any official fixes once released. Until then, consider restricting Subscriber-level permissions or monitoring for suspicious profile privacy changes as a temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-05T01:12:20.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6942f8e8847f7e98df04b54c
Added to database: 12/17/2025, 6:39:36 PM
Last enriched: 4/9/2026, 9:46:32 AM
Last updated: 5/9/2026, 11:59:36 PM
Views: 117
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.