Security Advisory

CVE-2025-14081

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-12-17 18:21:35
Last updated 2026-04-08 17:14:28
Assigner Wordfence
State PUBLISHED

Description

The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.