<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3aultimatememberultimate_memberwordpress/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 05:20:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3aultimatememberultimate_memberwordpress/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15290: Ultimate Member Plugin Blind SQL Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-ultimate-member-sqli/</link><pubDate>Fri, 10 Jul 2026 05:20:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ultimate-member-sqli/</guid><description>The Ultimate Member plugin for WordPress is vulnerable to blind SQL Injection via the 'search' parameter in all versions up to and including 2.10.1, due to insufficient escaping of user-supplied input and inadequate preparation of existing SQL queries, allowing unauthenticated attackers to append additional SQL queries and extract sensitive information from the database.</description><content:encoded><![CDATA[<p>CVE-2026-15290 details a critical blind SQL Injection vulnerability affecting the Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction &amp; Membership Plugin for WordPress, impacting all versions up to and including 2.10.1. The vulnerability originates from insufficient escaping of user-supplied input in the <code>search</code> parameter and inadequate preparation of existing SQL queries. This flaw enables unauthenticated attackers to append malicious SQL queries to legitimate ones, facilitating the extraction of sensitive information from the underlying database. A partial patch for this specific issue was introduced in version 2.9.2, which initially aimed to address CVE-2025-0308. Successful exploitation poses a significant risk of data breaches and unauthorized access to a WordPress site's sensitive data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP GET or POST request targeting a WordPress site running the Ultimate Member plugin.</li>
<li>The crafted request includes SQL injection payloads within the <code>search</code> parameter (e.g., <code>?search=test%27%20AND%20SLEEP(5)--%20</code> or <code>?search=admin%27%20OR%201=1--%20</code>).</li>
<li>Due to inadequate input sanitization and lack of parameterized queries within the plugin's code, the malicious input from the <code>search</code> parameter is directly incorporated into a backend SQL query.</li>
<li>The injected blind SQL query executes on the database server, causing a differential response, such as a time delay for time-based attacks or a distinct content change for boolean-based attacks.</li>
<li>The attacker analyzes the web server's response (e.g., HTTP response time, page content) to infer the result of the injected SQL condition.</li>
<li>The attacker iteratively sends numerous such requests, modifying the payload in the <code>search</code> parameter to extract sensitive data, character by character, or by evaluating true/false conditions.</li>
<li>Sensitive information, such as user credentials, API keys, or private configuration data, is systematically exfiltrated from the WordPress database.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-15290 allows unauthenticated attackers to extract sensitive data from the WordPress database. This could lead to a compromise of user accounts, administrative credentials, and other confidential information stored within the system. The stolen data could then be used for further attacks, identity theft, or sold on illicit markets, leading to severe financial, reputational, and operational damage for affected organizations. The vulnerability's high CVSS v3.1 score of 7.5 reflects the significant risk posed by unauthorized data disclosure without any prior authentication required.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Ultimate Member plugin for WordPress to a version patched against CVE-2026-15290 (versions higher than 2.10.1).</li>
<li>Deploy the Sigma rule <code>Detect Blind SQL Injection Attempts in Ultimate Member Plugin</code> to your SIEM to identify and alert on potential exploitation attempts via the <code>search</code> parameter.</li>
<li>Ensure detailed web server access logs are enabled and collected for your WordPress instances, specifically capturing full HTTP request URLs and query parameters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>sql-injection</category><category>web-vulnerability</category></item></channel></rss>