CVE-2026-25357
Published: 25 March 2026
Summary
CVE-2026-25357 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-14 (Permitted Actions Without Identification or Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws, directly preventing exploitation of this authentication bypass vulnerability in the Ultimate Membership Pro plugin.
Enforces approved authorizations for access to system resources, mitigating unauthorized account takeover via alternate paths that bypass authentication.
Explicitly identifies and authorizes actions performable without identification or authentication, reducing risks from alternate channels enabling authentication abuse.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote authentication bypass in a public-facing WordPress plugin that directly enables exploitation of the application (T1190) and results in full control of valid user accounts for subsequent abuse (T1078).
NVD Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Deeper analysisAI
CVE-2026-25357 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Ultimate Membership Pro WordPress plugin, developed by azzaroco and also known as indeed-membership-pro. This flaw enables Authentication Abuse and affects all versions of the plugin up to and including 13.7. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility, high attack complexity, no required privileges or user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network, bypassing authentication mechanisms through an alternate path or channel to achieve account takeover. Successful exploitation grants attackers full control over targeted user accounts, potentially leading to unauthorized access to sensitive data, privilege escalation, or further compromise of the WordPress site.
The Patchstack advisory details this account takeover vulnerability specifically in Ultimate Membership Pro plugin version 13.7 and serves as a key reference for mitigation guidance.
Details
- CWE(s)