Refine your search
2 vulnerabilities found for Ultimate Member Widgets for Elementor – WordPress User Directory by userelements
CVE-2025-12778 (GCVE-0-2025-12778)
Vulnerability from nvd
Published
2025-11-20 04:37
Modified
2025-11-20 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| userelements | Ultimate Member Widgets for Elementor – WordPress User Directory |
Version: * ≤ 2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T19:26:28.199675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T19:26:35.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ultimate Member Widgets for Elementor \u2013 WordPress User Directory",
"vendor": "userelements",
"versions": [
{
"lessThanOrEqual": "2.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ultimate Member Widgets for Elementor \u2013 WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T04:37:14.431Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-06T01:52:11.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-19T16:28:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Ultimate Member Widgets for Elementor \u003c= 2.3 - Missing Authorization to Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12778",
"datePublished": "2025-11-20T04:37:14.431Z",
"dateReserved": "2025-11-05T20:46:27.814Z",
"dateUpdated": "2025-11-20T19:26:35.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12778 (GCVE-0-2025-12778)
Vulnerability from cvelistv5
Published
2025-11-20 04:37
Modified
2025-11-20 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| userelements | Ultimate Member Widgets for Elementor – WordPress User Directory |
Version: * ≤ 2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T19:26:28.199675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T19:26:35.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ultimate Member Widgets for Elementor \u2013 WordPress User Directory",
"vendor": "userelements",
"versions": [
{
"lessThanOrEqual": "2.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ultimate Member Widgets for Elementor \u2013 WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T04:37:14.431Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-06T01:52:11.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-19T16:28:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Ultimate Member Widgets for Elementor \u003c= 2.3 - Missing Authorization to Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12778",
"datePublished": "2025-11-20T04:37:14.431Z",
"dateReserved": "2025-11-05T20:46:27.814Z",
"dateUpdated": "2025-11-20T19:26:35.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}