CVE-2025-12778

MEDIUM 5.3

Ultimate Member Widgets for Elementor <= 2.3 - Missing Authorization to Unauthenticated Information Exposure

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses.

CWE	CWE-862
Vendor	userelements
Product	ultimate member widgets for elementor – wordpress user directory
Published	Nov 20, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for userelements ultimate member widgets for elementor – wordpress user directory

Be the first to know when new medium vulnerabilities affecting userelements ultimate member widgets for elementor – wordpress user directory are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

userelements / Ultimate Member Widgets for Elementor – WordPress User Directory

0 ≤ 2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor

Credits

Powpy