{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14081", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T01:12:20.672Z", "datePublished": "2025-12-17T18:21:35.858Z", "dateUpdated": "2026-04-08T17:14:28.703Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:28.703Z"}, "affected": [{"vendor": "ultimatemember", "product": "Ultimate Member \u2013 User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to \"Only me\") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role."}], "title": "Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421362/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "timeline": [{"time": "2025-12-05T01:28:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T18:51:48.415456Z", "id": "CVE-2025-14081", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:29:00.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14081", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T18:51:48.415456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T18:51:51.856Z"}}], "cna": {"title": "Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ultimatemember", "product": "Ultimate Member \u2013 User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.11.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T01:28:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421362/"}], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to \"Only me\") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:28.703Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14081", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:28.703Z", "dateReserved": "2025-12-05T01:12:20.672Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T18:21:35.858Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to \"Only me\") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role."}], "id": "CVE-2025-14081", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T19:16:01.543", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3421362/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:22:35.848694+00:00", "value": {"mitigation_remediation": ["Update the Ultimate Member plugin to the latest version that fixes the permission check flaw.", "If an upgrade cannot be performed immediately, remove or disable the profile privacy settings for roles that should not have this control, ensuring that Subscribers cannot change visibility levels.", "Verify that all permission checks for rendering profile fields are correctly implemented and no legacy code paths bypass the required_perm check, aligning your customizations with the recommended access control practices for CWE-863 (Missing Authorization)"], "summary": {"action": "Apply Update", "impact": "Profile Privacy Bypass"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running the Ultimate Member plugin up to and including version 2.11.0 is affected. Users of the plugin should confirm they are running v2.11.0 or earlier and plan to upgrade. The vulnerability does not affect WordPress core, but any site component that relies on the Ultimate Member privacy settings for access control is at risk.", "description_and_impact": "The Vulnerability in the Ultimate Member plugin allows an authenticated user with Subscriber-level access to alter the privacy setting of their profile by manipulating request parameters. The flaw arises because field keys are added to the allowed list before the required permission check is performed during rendering. The result is a privacy setting change that the user should not be able to perform, potentially exposing personal data to unauthorized viewers. This weakness is a classic example of missing authorization checks and is catalogued as CWE-863.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate overall risk, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability requires authenticated access with a Subscriber role, so it is not remotely exploitable from an unauthenticated state. The attacker can simply change a profile setting\u2014though this does not compromise code execution or system integrity, it does compromise confidentiality of the user\u2019s own profile. The vulnerability is not listed in the CISA KEV catalog, implying no widely known exploits have been observed yet."}}}}, "created": "2025-12-18T09:57:04.459984+00:00", "updated": "2026-04-20T21:30:18.574498+00:00", "vendors": ["ultimatemember", "ultimatemember$PRODUCT$ultimate_member", "wordpress", "wordpress$PRODUCT$wordpress"]}