CVE-2024-1071

CRITICAL EXPLOITED NUCLEI LAB

WordPress Ultimate Member SQL Injection (CVE-2024-1071)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-1071 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including gh-ost00, gbrsh, Trackflaw, including a Metasploit module auxiliary/scanner/http/wp_ultimate_member_sorting_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a scanner for CVE-2024-1071, which is a SQL Injection vulnerability in the WordPress Ultimate Member plugin. The script checks for vulnerable versions, retrieves necessary parameters (nonce, directory_id), and suggests using SQLmap for exploitation.

Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (9)

nomisec SCANNER 22 stars
by gh-ost00 · infoleak
https://github.com/gh-ost00/CVE-2024-1071-SQL-Injection

This repository contains a scanner for CVE-2024-1071, which is a SQL Injection vulnerability in the WordPress Ultimate Member plugin. The script checks for vulnerable versions, retrieves necessary parameters (nonce, directory_id), and suggests using SQLmap for exploitation.

Classification
Scanner 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2
No auth needed
Prerequisites: Target must be running a vulnerable version of the Ultimate Member plugin · Target must have the plugin's readme.txt accessible · Target must have the registration page accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by gbrsh · infoleak
https://github.com/gbrsh/CVE-2024-1071

This repository contains a functional exploit for CVE-2024-1071, an unauthorized database access/SQL injection vulnerability in the Ultimate Member WordPress plugin. The exploit automates the process of retrieving a nonce, identifying a valid directory ID, and preparing a SQL injection payload for use with sqlmap.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ultimate Member WordPress plugin (versions between 2.1.3 and 2.8.2)
No auth needed
Prerequisites: Target must be running a vulnerable version of the Ultimate Member plugin · WordPress installation must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 3 stars
by Trackflaw · poc
https://github.com/Trackflaw/CVE-2024-1071-Docker

This repository provides a Docker environment to set up a vulnerable WordPress instance with the Ultimate Member plugin (version 2.8.2) for testing CVE-2024-1071. It does not include actual exploit code but references external PoCs for automation.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: WordPress Ultimate Member plugin 2.8.2
Auth required
Prerequisites: Docker installed · WordPress with Ultimate Member plugin activated · Custom table for account metadata enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Spid3heX · infoleak
https://github.com/Spid3heX/CVE-2024-1071-PoC-Script

This repository contains a functional Python script that automates the exploitation of CVE-2024-1071, an SQL injection vulnerability in the WordPress Ultimate Member plugin (versions 2.1.3 to 2.8.2). The script checks for vulnerable versions, retrieves necessary nonces and directory IDs, and uses SQLMap to exploit the vulnerability via the 'sorting' parameter.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2
No auth needed
Prerequisites: Target must have the vulnerable Ultimate Member plugin installed · SQLMap must be installed for automated exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by dogucyber · poc
https://github.com/dogucyber/WordPress-Exploit-CVE-2024-1071

This repository contains a functional Python exploit for CVE-2024-1071, an SQL injection vulnerability in WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2. The exploit automates the process of checking plugin versions, retrieving nonces, and identifying valid directory IDs to facilitate SQL injection attacks.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2
No auth needed
Prerequisites: Target must have the vulnerable Ultimate Member plugin installed · Target must have the registration page accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Matrexdz · poc
https://github.com/Matrexdz/CVE-2024-1071-Docker

This repository provides a Docker-based lab environment for CVE-2024-1071, a vulnerability in the Ultimate Member WordPress plugin. It includes a pre-configured WordPress instance with the vulnerable plugin (version 2.8.2) and setup instructions to replicate the exploit scenario.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin v2.8.2
Auth required
Prerequisites: Docker installed · WordPress instance with Ultimate Member plugin v2.8.2 · Admin access to enable vulnerable plugin settings
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Matrexdz · infoleak
https://github.com/Matrexdz/CVE-2024-1071

This repository contains a functional exploit for CVE-2024-1071, an unauthorized database access/SQL injection vulnerability in the Ultimate Member WordPress plugin. The exploit automates the process of retrieving a nonce, identifying a valid directory ID, and preparing a SQL injection payload for use with sqlmap.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Ultimate Member WordPress plugin (versions between 2.1.3 and 2.8.2)
No auth needed
Prerequisites: Target must be running a vulnerable version of the Ultimate Member plugin · WordPress installation must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Dogu589/WordPress-Exploit-CVE-2024-1071

This repository contains a functional Python exploit for CVE-2024-1071, an SQL injection vulnerability in WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2. The exploit automates the process of checking plugin versions, retrieving nonces, and identifying valid directory IDs to facilitate SQL injection attacks.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin versions 2.1.3 to 2.8.2
No auth needed
Prerequisites: Target must have the Ultimate Member plugin installed and vulnerable version · Access to the target's /wp-content/plugins/ultimate-member/readme.txt · Access to the target's registration page to retrieve nonce
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC
by Christiaan Swiers, Valentin Lobstein · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_ultimate_member_sorting_sqli.rb

This Metasploit module exploits a time-based blind SQL injection vulnerability in the WordPress Ultimate Member plugin via the 'sorting' parameter. It automates the extraction of user credentials by first retrieving a nonce and directory ID, then leveraging SQLi to dump database contents.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ultimate Member plugin <= 2.8.2
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and active · WordPress site must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection
CRITICALVERIFIEDby DhiyaneshDK,iamnooob
FOFA: body="/wp-content/plugins/ultimate-member"

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.9291
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:latest
+6 more repos

Details

VulnCheck KEV 2024-02-23
CWE
CWE-89
Status published
Products (1)
ultimatemember/ultimate_member 2.1.3 - 2.8.3
Published Mar 13, 2024
Tracked Since Feb 18, 2026