Ultimate Member < 2.11.1 – Authenticated (Subscriber+) Profile Privacy Setting Bypass | CVE 2025-14081 | Plugin Vulnerabilities

Description

The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.

Affects Plugins

ultimate-member

Fixed in 2.11.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Boris Bogosavac

Verified

No

WPVDB ID

74b2060e-2580-4623-bd0f-c79571c422db

Timeline

Publicly Published

2025-12-16 (about 5 months ago)

Added

2025-12-17 (about 5 months ago)

Last Updated

2025-12-17 (about 5 months ago)

Other

Published

Title

Published

2021-10-27

Title

WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Published

2023-04-26

Title

WooCommerce Multivendor Marketplace – REST API < 1.6.0 - Subscriber+ Arbitrary Orders Item And Notes Update

Published

2024-03-01

Title

WP Show Posts < 1.1.5 - Information Exposure

Published

2026-02-17

Title

User Submitted Posts < 20260217 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter

Published

2023-10-12

Title

WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution