CVE-2025-1702: 
WordPress vulnerability analysis and mitigation

The Ultimate Member WordPress plugin (versions up to 2.10.0) contains a time-based SQL Injection vulnerability (CVE-2025-1702) discovered in March 2025. The vulnerability exists in the 'search' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation. This security flaw affects the member directory functionality of the plugin (NVD).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.5 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper namespace usage and insufficient validation in the member directory query system. The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries (Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive information from the database through SQL injection techniques. The high CVSS score indicates significant potential for data breach, with particular emphasis on confidentiality impact while maintaining no direct impact on integrity or availability (NVD).

The vulnerability has been patched in version 2.10.1 of the Ultimate Member plugin. The fix includes enhanced regex validation to block sleep injections and proper namespace handling. Users are strongly advised to update to this version immediately (GitHub).