CVE-2024-1071
published 2024-03-13CVE-2024-1071: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.43%
99.8th percentile
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultimatemember | ultimate_member | >= 2.1.3 < 2.8.3 | 2.8.3 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2024_1071_UM_SQLi { strings: $action = "um_get_members" $param = "sorting=" $sleep = "SLEEP(" condition: $action and $param and $sleep }- →Monitor POST requests to /wp-admin/admin-ajax.php with action=um_get_members; malicious payloads inject SQL via the 'sorting' parameter (e.g., 'user_login,SLEEP(5)') — a time-based blind SQLi indicator. ↗
- →Detect time-based SQL injection by correlating response duration >= 5 seconds on requests to the um_get_members AJAX endpoint with HTTP 200 and body containing 'current_page' and 'total_pages'. ↗
- →The exploit is unauthenticated; no session cookie or authentication header is required. Alert on any unauthenticated POST to admin-ajax.php with action=um_get_members and a 'sorting' parameter containing SQL metacharacters (comma, parentheses, SQL keywords). ↗
- →Use FOFA/PublicWWW/ZoomEye fingerprint queries to identify exposed instances of the vulnerable plugin for proactive scanning. ↗
- →A WordPress nonce value is extracted from the page body (regex: '"nonce":"([0-9a-z]+)"') and reused in the injection request — detection pipelines should flag two-stage request sequences: GET /?p=1 followed immediately by POST to admin-ajax.php with action=um_get_members from the same source IP. ↗
- ·The vulnerability affects Ultimate Member plugin versions 2.1.3 through 2.8.2 only; version 2.8.3 and later are patched. Ensure version checks are part of any scanner or WAF rule to avoid false positives on patched installations. ↗
- ·The Nuclei template uses a 10-second timeout (@timeout: 10s) for the SLEEP(5) payload; IDS/WAF rules using response-time thresholds should account for network latency and set thresholds accordingly to avoid false negatives. ↗
- ·The injection point is specifically the 'sorting' POST body parameter in the member directory AJAX handler; other parameters in the same endpoint are not the attack vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mh7h-gpmx-fggj: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable
ghsa_unreviewed·2024-03-13
CVE-2024-1071 [CRITICAL] GHSA-mh7h-gpmx-fggj: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulnCheck
WordPress Ultimate Member Plugin SQL Injection
vulncheck·2024·CVSS 9.8
CVE-2024-1071 [CRITICAL] WordPress Ultimate Member Plugin SQL Injection
WordPress Ultimate Member Plugin SQL Injection
A SQL Injection is present in WordPress The Ultimate Member plugin
Affected: WordPress Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ultimate-member/ultimate-member-user-profile-registration-login-member-directory-content-restriction-membership-plugin-213-282-unauthenticated-sql-injection
Exploit PoC: https://vulncheck.com/xdb/f94b209f4745; https://vulncheck.com/xdb/caa66bebe24f; https://vulncheck.com/xdb/7b3d56bb30ba; https:
No detection rules found.
Metasploit
WordPress Ultimate Member SQL Injection (CVE-2024-1071)
metasploit·CVSS 9.8
CVE-2024-1071 [CRITICAL] WordPress Ultimate Member SQL Injection (CVE-2024-1071)
WordPress Ultimate Member SQL Injection (CVE-2024-1071)
The Ultimate Member plugin for WordPress up to version 2.8.2 is vulnerable to SQL injection via the 'sorting' parameter. This allows unauthenticated attackers to exploit blind SQL injections and extract sensitive information from the database.
Nuclei
WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
nuclei·CVSS 9.8
CVE-2024-1071 [CRITICAL] WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Template:
id: CVE-2024-1071
info:
name: WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
author: DhiyaneshDK,iamnooob
severity: critical
description: |
The Ultimate Member - User Profile, Registration, Lo
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L666https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L858https://plugins.trac.wordpress.org/changeset/3038036/ultimate-member/trunk/includes/core/class-member-directory-meta.phphttps://wordpress.org/plugins/ultimate-member/https://www.wordfence.com/threat-intel/vulnerabilities/id/005fa621-3c49-4c23-add5-d6b7a9110055?source=cvehttps://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L666https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L858https://plugins.trac.wordpress.org/changeset/3038036/ultimate-member/trunk/includes/core/class-member-directory-meta.phphttps://wordpress.org/plugins/ultimate-member/https://www.wordfence.com/threat-intel/vulnerabilities/id/005fa621-3c49-4c23-add5-d6b7a9110055?source=cve
2024-03-13
Published
Exploited in the wild