The Ultimate Member plugin for WordPress is vulnerable to blind SQL Injection via the 'search' parameter in all versions up to and including 2.10.1, due to insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries, allowing unauthenticated attackers to append additional SQL queries and extract sensitive information from the database.
Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.10.1
wordpress
plugin
sql-injection
web-vulnerability
1r
2t
2c