cbcvebase.
CVE-2024-1071
published 2024-03-13

CVE-2024-1071: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.43%
99.8th percentile
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected

1 ranges
VendorProductVersion rangeFixed in
ultimatememberultimate_member>= 2.1.3 < 2.8.32.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=um_get_members
commanddirectory_id=b9238&sorting=user_login,SLEEP(5)&nonce={{nonce}}
path/wp-content/plugins/ultimate-member
yara
rule CVE_2024_1071_UM_SQLi { strings: $action = "um_get_members" $param = "sorting=" $sleep = "SLEEP(" condition: $action and $param and $sleep }
  • Monitor POST requests to /wp-admin/admin-ajax.php with action=um_get_members; malicious payloads inject SQL via the 'sorting' parameter (e.g., 'user_login,SLEEP(5)') — a time-based blind SQLi indicator.
  • Detect time-based SQL injection by correlating response duration >= 5 seconds on requests to the um_get_members AJAX endpoint with HTTP 200 and body containing 'current_page' and 'total_pages'.
  • The exploit is unauthenticated; no session cookie or authentication header is required. Alert on any unauthenticated POST to admin-ajax.php with action=um_get_members and a 'sorting' parameter containing SQL metacharacters (comma, parentheses, SQL keywords).
  • Use FOFA/PublicWWW/ZoomEye fingerprint queries to identify exposed instances of the vulnerable plugin for proactive scanning.
  • A WordPress nonce value is extracted from the page body (regex: '"nonce":"([0-9a-z]+)"') and reused in the injection request — detection pipelines should flag two-stage request sequences: GET /?p=1 followed immediately by POST to admin-ajax.php with action=um_get_members from the same source IP.
  • ·The vulnerability affects Ultimate Member plugin versions 2.1.3 through 2.8.2 only; version 2.8.3 and later are patched. Ensure version checks are part of any scanner or WAF rule to avoid false positives on patched installations.
  • ·The Nuclei template uses a 10-second timeout (@timeout: 10s) for the SLEEP(5) payload; IDS/WAF rules using response-time thresholds should account for network latency and set thresholds accordingly to avoid false negatives.
  • ·The injection point is specifically the 'sorting' POST body parameter in the member directory AJAX handler; other parameters in the same endpoint are not the attack vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.