Open Nav
Sign Up

Urgent Security Alert: SQL Injection Vulnerability in WordPress Ultimate Member Plugin (CVE-2024-1071)

Bar Refael

February 26, 2024

A critical unauthenticated SQL Injection vulnerability, identified as CVE-2024-1071, has been discovered in versions 2.1.3 to 2.8.2 of the Ultimate Member WordPress plugin. This vulnerability affects over 200,000 active installations and allows attackers to inject malicious SQL commands through the ‘sorting’ parameter. Successful exploitation could lead to the extraction of sensitive information, including password hashes, from the database.

Vulnerability Details:

  • CVE ID: CVE-2024-1071
  • Affected Versions: Ultimate Member WordPress Plugin versions 2.1.3 to 2.8.2
  • Impact: SQL Injection, Data Exfiltration

Impact:

  • Unauthorized access to sensitive information
  • Potential compromise of user credentials and data
  • Risk of further exploitation and compromise of the affected WordPress sites

Recommendations:

  • Update: Immediately update the Ultimate Member plugin to version 2.8.3 to mitigate the vulnerability.
  • Review: Conduct a security review of your WordPress site to ensure no unauthorized access or changes have occurred.
  • Monitor: Monitor your website for any unusual activity or unauthorized access attempts.
  • Educate: Educate your website administrators and users about safe browsing practices and security measures.

Action Required:

Immediate action is required to update the Ultimate Member plugin to version 2.8.3 to protect your website from potential exploitation. Failure to update could result in unauthorized access to your website and compromise of sensitive information.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Resources highlights

CISA: Attackers Exploiting SysAid Vulnerabilities (CVE-2025-2775, CVE-2025-2776)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two SysAid On-Prem vulnerabilities, CVE-2025-2775 and CVE-2025-2776, to its Known Exploited Vulnerabilities (KEV) catalog, confirming…

Read more >

CVE-2025-2775, CVE-2025-2776

Critical Zero-Day in CrushFTP Exploited in the Wild (CVE-2025-54309)

A critical zero-day vulnerability in CrushFTP, CVE-2025-54309, is being actively exploited by threat actors to gain unauthenticated administrative access to vulnerable servers via HTTPS. The…

Read more >

CVE-2025-54309

Critical Zero-Day in Microsoft SharePoint Actively Exploited (CVE-2025-53770)

A newly discovered zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in active attacks against on-premises environments. The flaw, rated…

Read more >

CVE-2025-53770

Over 600 Laravel Applications Vulnerable to Remote Code Execution via Leaked APP_KEYs (CVE-2018-15133, CVE-2024-55556)

Security researchers have uncovered a major RCE threat affecting over 600 Laravel applications, triggered by leaked APP_KEYs found on public GitHub repositories. Laravel's APP_KEY, typically…

Read more >

CVE-2018-15133, CVE-2024-55556

CVE-2025-3648: “Count(er) Strike” Vulnerability in ServiceNow

CVE-2025-3648, dubbed “Count(er) Strike”, is a high-severity vulnerability (CVSS 8.2) in ServiceNow's Now Platform, discovered by Varonis Threat Labs. The flaw allows both authenticated and…

Read more >

CVE-2025-3648

What to Look for in a Pentesting Platform (Beyond Just Scans)

Penetration testing platforms are a great way to centralize vulnerability discovery and triage. However, when evaluating penetration testing platforms, many organizations make the mistake of…

Read more >

pentesting platform
Under Cyber Attack?

Fill out the form and we will contact you immediately.