← back
CVE-2025-12778

Ultimate Member Widgets for Elementor <= 2.3 - Missing Authorization to Unauthenticated Information Exposure

CVSS 5.3 MEDIUMEPSS 0.2%CWE-862
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
userelements · Ultimate Member Widgets for Elementor – WordPress User Directory

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementorhttps://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve