Open Nav
Sign Up

Urgent Security Alert: SQL Injection Vulnerability in WordPress Ultimate Member Plugin (CVE-2024-1071)

Bar Refael

February 26, 2024

A critical unauthenticated SQL Injection vulnerability, identified as CVE-2024-1071, has been discovered in versions 2.1.3 to 2.8.2 of the Ultimate Member WordPress plugin. This vulnerability affects over 200,000 active installations and allows attackers to inject malicious SQL commands through the ‘sorting’ parameter. Successful exploitation could lead to the extraction of sensitive information, including password hashes, from the database.

Vulnerability Details:

  • CVE ID: CVE-2024-1071
  • Affected Versions: Ultimate Member WordPress Plugin versions 2.1.3 to 2.8.2
  • Impact: SQL Injection, Data Exfiltration

Impact:

  • Unauthorized access to sensitive information
  • Potential compromise of user credentials and data
  • Risk of further exploitation and compromise of the affected WordPress sites

Recommendations:

  • Update: Immediately update the Ultimate Member plugin to version 2.8.3 to mitigate the vulnerability.
  • Review: Conduct a security review of your WordPress site to ensure no unauthorized access or changes have occurred.
  • Monitor: Monitor your website for any unusual activity or unauthorized access attempts.
  • Educate: Educate your website administrators and users about safe browsing practices and security measures.

Action Required:

Immediate action is required to update the Ultimate Member plugin to version 2.8.3 to protect your website from potential exploitation. Failure to update could result in unauthorized access to your website and compromise of sensitive information.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Resources highlights

AsyncAPI npm Supply-Chain Attack Delivers Cross-Platform Miasma RAT

A software supply-chain attack compromised four packages in the official AsyncAPI npm namespace, resulting in five malicious package versions being distributed through the project’s legitimate…

Read more >

AsyncAPI supply chain attack

Zoom Windows Vulnerability Enables Account Takeover (CVE-2026-53412)

Zoom has released security updates for a critical vulnerability affecting Zoom Workplace and Zoom Workplace VDI clients for Windows. Tracked as CVE-2026-53412, the vulnerability could…

Read more >

cve-2026-53412

Actively Exploited SonicWall SMA1000 Vulnerabilities (CVE-2026-15409 and CVE-2026-15410)

SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries…

Read more >

sonicwall_cve-2026-15409_cve-2026-15410_op

Critical Gitea Docker Authentication Bypass Under Active Probing: CVE-2026-20896

A critical authentication bypass vulnerability, tracked as CVE-2026-20896, has been disclosed in the official Gitea Docker image. Gitea is a self-hosted software development platform used…

Read more >

gitea_docker_cve-2026-20896

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business
Under Cyber Attack?

Fill out the form and we will contact you immediately.