CVE-2025-14081
Profile Privacy Bypass in Ultimate Member WordPress Plugin
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultimate_member | ultimate_member | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Ultimate Member WordPress plugin allows authenticated users with Subscriber-level access to bypass profile privacy settings. Due to a flaw in the secure fields mechanism, field keys are added to the allowed fields list before the required permission check is applied during rendering. This means users can manipulate parameters directly to change their profile privacy settings (such as setting their profile visibility to "Only me"), even if the administrator has disabled this option for their role.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing lower-privileged users (Subscribers) to modify their profile privacy settings in ways that administrators intended to restrict. This could lead to unauthorized privacy configurations, potentially affecting how user information is shared or displayed on your site, undermining administrative control over user privacy settings.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Ultimate Member plugin to a version later than 2.11.0 where the profile privacy setting bypass flaw is fixed. Additionally, restrict Subscriber-level users from modifying profile privacy settings by reviewing and adjusting role permissions if possible. Monitor and audit user profile changes for suspicious direct parameter manipulation attempts. Consider disabling or limiting the use of profile privacy settings until the plugin is updated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with Subscriber-level access to bypass profile privacy settings, potentially exposing personal information that administrators intended to restrict. Such unauthorized disclosure of personal data could lead to non-compliance with privacy regulations like GDPR and HIPAA, which require strict controls over personal data access and privacy settings. Therefore, the vulnerability poses a risk to compliance by undermining enforced privacy controls.