CVE-2024-1071

Name of the Vulnerable Software and Affected Versions Ultimate Member versions 2.1.3 through 2.8.2

Description The issue is related to a SQL injection vulnerability in the Ultimate Member plugin for WordPress. This vulnerability can be exploited by unauthenticated attackers to append additional SQL queries to existing ones, potentially allowing them to extract sensitive information from the database. The vulnerability is caused by insufficient escaping on user-supplied parameters and a lack of sufficient preparation on existing SQL queries. It is estimated that over 200,000 websites are potentially affected by this issue. There have been reports of attempts to exploit this vulnerability, highlighting the need for prompt action to secure affected sites.

Recommendations To resolve the issue, update the Ultimate Member plugin to version 2.8.3 or later. This update addresses the SQL injection vulnerability and helps prevent data breaches. Additionally, consider implementing two-factor authentication and using strong passwords to further enhance security. Regularly updating plugins and themes is also crucial in maintaining the security of WordPress sites.