Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member
Releases311
Frequency1 week 6 days
Last Release
Downloads13.2M

User Profile & Membership Plugin for WordPress

The ultimate user profile & membership plugin for WordPress. The plugin makes it a breeze for users to sign-up and become members of your website. The plugin allows you to add beautiful user profiles to your site and is designed for creating advanced online communities and membership sites. Lightweight and highly extendible, Ultimate Member will enable you to create almost any type of site where users can join and become members with absolute ease.

Features of the plugin include:

  • Front-end user profiles
  • Front-end user registration
  • Front-end user login
  • Custom form fields
  • Conditional logic for form fields
  • Drag and drop form builder
  • User account page
  • Custom user roles
  • Member directories
  • User emails
  • Content restriction
  • Conditional nav menus
  • Show author posts & comments on user profiles
  • Developer friendly with dozens of actions and filters

Read about all of the plugin’s features at Ultimate Member

Paid Extensions

Ultimate Member has a range of extensions that allow you to extend the power of the plugin. You can purchase all of these extensions at a significant discount with one of our paid plans or you can purchase extensions individually.

  • Zapier – Allow to integrate the Zapier popular apps with Ultimate Member
  • Stripe – Sell paid memberships to access your website via Stripe subscriptions
  • User Notes – Allow users to create public and private notes from their profile
  • Profile Tabs – Allow to add the custom tabs to profiles
  • User Locations – Allow to display users on a map on the member directory page and allow users to add their location via their profile
  • Unsplash – Allow users to select a profile cover photo from Unsplash from their profile
  • User Bookmarks – Allow users to bookmark content from your website
  • User Photos – Allow users to upload photos to their profile
  • Groups – Allow users to create and join groups around shared topics, interests etc.
  • Private Content – Display private content to logged in users that only they can access
  • User Tags – Lets you add a user tag system to your website
  • Social Activity – Let users create public wall posts & see the activity of other users
  • WooCommerce – Allow you to integrate WooCommerce with Ultimate Member
  • Private Messages – Add a private messaging system to your site & allow users to message each other
  • Followers – Allow users to follow each other on your site and protect their profile information
  • Real-time Notifications – Add a notifications system to your site so users can receive real-time notifications
  • Social Login – Let users register & login to your site via Facebook, Twitter, G+, LinkedIn, Instagram and Vkontakte (VK.com)
  • bbPress – With the bbPress extension you can beautifully integrate Ultimate Member with bbPress
  • MailChimp – Allow users to subscribe to your MailChimp lists when they signup on your site and sync user meta to MailChimp
  • User Reviews – Allow users to rate & review each other using a 5 star rate/review system
  • Verified Users – Add a user verification system to your site so user accounts can be verified
  • myCRED – With the myCRED extension you can integrate Ultimate Member with the popular myCRED points management plugin
  • Notices – Alert users to important information using conditional notices
  • Profile Completeness – Encourage or force users to complete their profiles with the profile completeness extension
  • Friends – Allows users to become friends by sending & accepting/rejecting friend requests

Free Extensions

  • JobsBoardWP – This free extension integrates Ultimate Member with the job board plugin JobBoardWP.
  • ForumWP – This free extension integrates Ultimate Member with the forum plugin ForumWP.
  • Terms & Conditions – Add a terms and condition checkbox to your registration forms & require users to agree to your T&Cs before registering on your site.
  • Google reCAPTCHA – Stop bots on your registration & login forms with Google reCAPTCHA
  • Online Users – Display what users are online with this extension

Theme

Our official theme is purpose built for websites that have logged in and out users. The theme has deep integration with Ultimate Member plugin and the extensions, different header designs for logged-in/out users and works alongside the Beaver Builder and Elementor page builders.

Our other plugins

In addition to Ultimate Member, we also have two other plugins: ForumWP and JobBoardWP.

ForumWP

ForumWP is a forum plugin which adds an online forum to your website, allowing users to create topics and write replies. Forums are a great way to build and grow an online community.

JobBoardWP

JobBoardWP is a job board plugin which adds a modern job board to your website. Display job listings and allow employers to submit and manage jobs all from the front-end.

Development * Translations

If you’re a developer and would like to contribute to the source code of the plugin you can do so via our GitHub Repository.

Want to add a new language to Ultimate Member? Great! You can contribute via translate.wordpress.org.

If you are a developer and you need to know the list of UM Hooks, make this via our Hooks Documentation or Hooks Documentation v2.

If you are a developer and you need to know the structure of our code, make this via our Documentation API.

Documentation & Support

Got a problem or need help with Ultimate Member? Head over to our documentation and perform a search of the knowledge base. If you can’t find a solution to your issue then you can create a topic on the support forum.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
7.5 HIGH

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

6.4 MEDIUM

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

9.8 CRITICAL

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

5.3 MEDIUM5 MEDIUM

The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms.

10 CRITICAL7.5 HIGH

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Roles. Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability (or any custom Ultimate Member role) and effectively be granted those privileges.

9.9 CRITICAL6.5 MEDIUM

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page could supply the parameter um-role with a value set to any role (e.g., Administrator) during a profile update, and effectively escalate their privileges.

10 CRITICAL7.5 HIGH

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.

5.3 MEDIUM5 MEDIUM

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.

3.5 LOW

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

3.5 LOW

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

3.5 LOW

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

6.1 MEDIUM4.3 MEDIUM

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

6.1 MEDIUM4.3 MEDIUM

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

6.1 MEDIUM4.3 MEDIUM

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

4 MEDIUM

Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.

4 MEDIUM

Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.

6.4 MEDIUM

Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors.

4 MEDIUM

Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.

4 MEDIUM

Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.

3.5 LOW

Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5 LOW

Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.

6.8 MEDIUM

The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.