Get Started
CVE July 6, 2026 4 min read

CVE-2024-1071: Critical Unauthenticated SQL Injection in Ultimate Member (200,000+ Sites)

CVE-2024-1071 is a critical (CVSS 9.8) unauthenticated SQL injection in the Ultimate Member plugin affecting versions 2.1.3 through 2.8.2 on 200,000+ WordPress sites. Attackers could exploit the member directory sorting parameter to steal database contents. Update to version 2.8.3 or later immediately.

In February 2024, security researchers disclosed a critical flaw in Ultimate Member, one of the most popular membership and user-profile plugins for WordPress. Tracked as CVE-2024-1071, the vulnerability let unauthenticated attackers — people with no account and no password — inject SQL commands directly into the site’s database. With a CVSS score of 9.8 out of 10 and more than 200,000 active installations affected, this was about as serious as WordPress vulnerabilities get. If your site runs Ultimate Member and hasn’t been updated since early 2024, this post explains what happened, why it matters, and exactly what to do about it.

CVE Details at a Glance

  • CVE ID: CVE-2024-1071
  • Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
  • Vulnerability type: Unauthenticated SQL Injection (SQLi)
  • CVSS 3.1 score: 9.8 (Critical)
  • Affected versions: 2.1.3 through 2.8.2
  • Patched version: 2.8.3 (released February 19, 2024)
  • Authentication required: None
  • Active installations affected: 200,000+

How the Vulnerability Works

SQL injection is one of the oldest and most damaging classes of web vulnerability. It happens when a web application takes input from a visitor and drops it into a database query without properly cleaning it first. The database can’t tell the difference between the data the developer intended and malicious commands smuggled in by an attacker, so it simply runs whatever it receives.

In Ultimate Member’s case, the weak point was the sorting parameter used by the plugin’s member directory feature. When a visitor sorts or filters the list of members, that request is handled through WordPress’s admin-ajax.php endpoint. The plugin took the value of the sorting parameter and placed it into a database query without escaping it correctly or using a properly prepared statement. As a result, an attacker could craft a request that closes off the legitimate query and appends their own SQL commands.

Because the member directory is a public-facing feature, no login was required to reach the vulnerable code. An attacker only needed to know the target URL and send specially crafted requests. The flaw was exploitable as a time-based blind SQL injection, meaning the attacker infers the contents of the database one character at a time by observing how long the server takes to respond — a slow but reliable technique that automated tools can run at scale. Public proof-of-concept exploits and a Metasploit scanner module appeared shortly after disclosure, which dramatically lowered the skill needed to attack unpatched sites.

Real-World Impact

A successful SQL injection against a WordPress site is close to a worst-case scenario. The WordPress database holds everything that matters: usernames, hashed passwords, email addresses, password-reset keys, session tokens, and any personal data your members have submitted. With the ability to run arbitrary queries, an attacker could extract the entire wp_users table and begin cracking password hashes offline, or steal authentication keys to hijack existing sessions.

The damage doesn’t stop at data theft. Once an attacker can read and manipulate the database, they can escalate toward full site takeover — for example by promoting a compromised account to administrator, injecting malicious redirects or spam content, or planting a backdoor for persistent access. For membership sites, e-commerce stores, and communities that store customer information, a breach of this kind also carries serious privacy and regulatory consequences under frameworks like GDPR. In short, this single parameter could open the door to credential theft, defacement, and complete loss of control over the site.

How to Check If You’re Affected

Start by confirming whether the plugin is installed and which version you’re running:

  • Log in to your WordPress admin dashboard and go to Plugins > Installed Plugins.
  • Look for Ultimate Member in the list and note the version number displayed beneath the plugin name.
  • If the version is 2.8.2 or lower (down to 2.1.3), your site is vulnerable and needs to be updated immediately.
  • If you can’t access the dashboard, you can check the version in the file wp-content/plugins/ultimate-member/readme.txt under “Stable tag,” using SFTP or your host’s file manager.

Because exploit code has been public since early 2024, treat any long-unpatched installation as potentially already compromised. Review your admin user list for accounts you don’t recognize, check for unexpected new users or role changes, and scan your server logs for suspicious repeated requests to admin-ajax.php that include a sorting parameter.

How to Fix It

The fix is straightforward: update Ultimate Member to version 2.8.3 or later, which corrects the query handling that made the injection possible. More recent releases include additional fixes, so updating to the current version is the best move.

  • In your dashboard, go to Plugins > Installed Plugins, find Ultimate Member, and click Update Now if an update is available.
  • Alternatively, go to Dashboard > Updates to run all pending plugin updates at once.
  • Enable automatic updates for the plugin (in the Plugins list, click Enable auto-updates) so future security patches apply without delay.
  • After updating, confirm the version now reads 2.8.3 or higher.

If you suspect your site was already exploited, updating alone is not enough — the attacker may have left behind rogue accounts or backdoors. In that case, take a backup, reset all user passwords and WordPress security keys (the values in wp-config.php), review your database and file system for unfamiliar changes, and consider engaging a professional cleanup service. Adding a web application firewall (WAF) provides an extra layer of protection by blocking common SQL injection patterns before they ever reach your plugins.

Takeaway

CVE-2024-1071 is a textbook reminder that a single unsanitized parameter can put hundreds of thousands of sites at risk. The good news is that the defense is simple and within reach of every site owner: keep your plugins updated, enable automatic updates for critical components, and don’t run software that has gone months without a patch. Pair that habit with regular backups, the principle of least privilege for user accounts, and a firewall in front of your site, and you turn a potential catastrophe into a non-event. Security isn’t about reacting to every headline — it’s about the routine hygiene that quietly closes these doors before anyone can walk through them.

Related Articles