Scan free
CRITICALCVE-2020-36832CVSS 9.8

CVE-2020-36832: Authentication Bypass in Ultimate Membership Pro

Platform

wordpress

Component

ultimate-membership-pro

Fixed in

8.6.1

AI Confidence: highNVDEPSS 0.6%Reviewed: May 2026
View on NVD
Save

CVE-2020-36832 represents a critical Authentication Bypass vulnerability discovered in the Ultimate Membership Pro plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts, potentially including administrator privileges. The vulnerability impacts versions 7.3 through 8.6.1, and a fix is available in version 8.6.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker can bypass authentication entirely and log in as any user on the WordPress site. This includes the site administrator, granting them full control over the website's content, configuration, and user accounts. Attackers could modify data, install malicious plugins, deface the site, or steal sensitive information. The ability to impersonate the administrator poses a significant risk to the integrity and confidentiality of the entire WordPress environment. This vulnerability shares similarities with other authentication bypass flaws where improper validation allows unauthorized access.

Exploitation Context

CVE-2020-36832 was publicly disclosed on October 16, 2024. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation makes it a high-priority concern. The vulnerability is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active exploitation is possible given the lack of a public PoC and the vulnerability's simplicity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.64% (70% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentultimate-membership-pro
Vendorwpindeed
Affected rangeFixed in
7.3 – 8.6.18.6.1

Weakness Classification (CWE)

CWE-287

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2020-36832 is to immediately upgrade the Ultimate Membership Pro plugin to version 8.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to sensitive areas of the site and implementing stricter password policies. While not a complete solution, a Web Application Firewall (WAF) configured to block login attempts with suspicious usernames or user IDs could provide a temporary layer of protection. Review WordPress user accounts for any signs of unauthorized access.

How to fix

Update the Ultimate Membership Pro plugin to version 8.6.1 or higher. This update fixes the authentication bypass vulnerability that allows unauthenticated attackers to log in as any user, including the site administrator.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-36832 — Authentication Bypass in Ultimate Membership Pro?

CVE-2020-36832 is a critical vulnerability allowing unauthenticated attackers to log in as any user, including the administrator, in Ultimate Membership Pro versions 7.3 to 8.6.1.

Am I affected by CVE-2020-36832 in Ultimate Membership Pro?

If you are using Ultimate Membership Pro versions 7.3 through 8.6.1, you are vulnerable. Upgrade to 8.6.1 or later to mitigate the risk.

How do I fix CVE-2020-36832 in Ultimate Membership Pro?

Upgrade the Ultimate Membership Pro plugin to version 8.6.1 or later. If immediate upgrade is not possible, implement temporary restrictions and WAF rules.

Is CVE-2020-36832 being actively exploited?

While no public exploit is known, the vulnerability's simplicity suggests active exploitation is possible and should be monitored.

Where can I find the official Ultimate Membership Pro advisory for CVE-2020-36832?

Refer to the official Ultimate Membership Pro website and WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs