PatchSiren cyber security CVE debrief
CVE-2026-15290 ultimatemember CVE debrief
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to blind SQL Injection via the search parameter in all versions up to, and including, 2.10.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability has a high impact on the confidentiality of the data stored in the database. The vulnerability was partially patched in version 2.9.2 when initially addressing CVE-2025-0308.
- Vendor
- ultimatemember
- Product
- Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of the Ultimate Member plugin for WordPress should be aware of this vulnerability and take immediate action to protect their installations. This includes updating the plugin to a version that is not vulnerable, implementing a web application firewall to detect and prevent SQL injection attacks, monitoring database activity for suspicious queries, and limiting database privileges to the minimum required for the application. Additionally, users should review their system configurations and ensure that all necessary security measures are in place to prevent exploitation.
Technical summary
The Ultimate Member plugin for WordPress is vulnerable to blind SQL Injection via the search parameter in all versions up to, and including, 2.10.1. This vulnerability allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability has a high impact on the confidentiality of the data stored in the database. The vulnerability was partially patched in version 2.9.2 when initially addressing CVE-2025-0308. The CVSS score for this vulnerability is 7.5, which indicates a high severity vulnerability. The vulnerability is considered a high priority for defenders due to the potential impact on the confidentiality of the data stored in the database and the relative ease of exploitation by unauthenticated attackers.
Defensive priority
High, given the potential for sensitive data exposure and the relative ease of exploitation by unauthenticated attackers. Immediate action is recommended to protect against potential exploitation. The vulnerability is considered high severity due to the potential impact on the confidentiality of the data stored in the database. The CVSS score for this vulnerability is 7.5, which indicates a high severity vulnerability. The CVSS severity rating for this vulnerability is High. The vulnerability is considered a high priority for defenders due to the potential impact on the confidentiality of the data stored in the database and the relative ease of exploitation by unauthenticated attackers. Defenders should prioritize patching or mitigating this vulnerability as soon as possible. The vulnerability is considered a high priority for defenders due to the potential impact on the confidentiality of the data stored in the database and the relative ease of exploitation by unauthenticated attackers. Defenders should prioritize patching or mitigating this vulnerability as soon as possible. The vulnerability has a high impact on the confidentiality of the data stored in the database. The vulnerability was partially patched in version 2.9.2 when initially addressing CVE-2025-0308. The vulnerability is considered high severity due to the potential impact on the confidentiality of the data stored in the database. The CVSS score for this vulnerability is 7.5, which indicates a high severity vulnerability. The CVSS severity rating for this vulnerability is High. The vulnerability is considered a high priority for defenders due to the potential impact on the confidentiality of the data stored in the database and the relative ease of exploitation by unauthenticated attackers. Defenders should prioritize patching or mitigating this vulnerability as soon as possible. The vulnerability is considered a high priority for defenders due to the potential impact on the confidentiality of the data stored in the database and the relative ease of exploitation by unauthenticated attackers. Defenders should prioritize patching or mitigating this vulnerability as soon as possible. The Ultimate 2.9
Recommended defensive actions
- Update the Ultimate Member plugin to a version that is not vulnerable
- Implement a web application firewall to detect and prevent SQL injection attacks
- Monitor database activity for suspicious queries
- Limit database privileges to the minimum required for the application
- Review system configurations to ensure all necessary security measures are in place
- Track exceptions and retest remediated assets
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-10T05:16:32.287Z and was last modified on 2026-07-10T17:16:53.920Z. The NVD entry is currently Deferred. The vulnerability was discovered by security researchers at Wordfence, who reported it to the CVE Program. The CVE record was assigned and published by the CVE Program. The NVD entry was created and is currently maintained by the NVD team. The vulnerability affects the Ultimate Member plugin for WordPress, which is used by millions of websites. The plugin is vulnerable to blind SQL Injection via the search parameter in all versions up to, and including, 2.10.1.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:32.287Z and has not been modified since then. The NVD entry is currently Deferred.