Is your WordPress site using the Ultimate Member plugin? If so, you should be aware that the plugin contains critical privilege escalation vulnerabilities. To avoid any issues, you should update the plugin to the latest available version, 2.1.12, which was released on October 29, 2020.
The plugin has been actively installed on more than 100,000 sites, which can be under attack if left unpatched.
The purpose of the Ultimate Member plugin is to enhance user registration and account control on WordPress sites. The plugin enables site owners to create custom roles and control the privileges of site members. The utility automatically creates three forms to function properly, consisting of user registration, login, and profile management.
Three critical privilege escalation vulnerabilities in Ultimate Member WordPress plugin
Wordfence researchers “discovered that the user registration form lacked some checks on submitted user data.” The lack of checks enabled attackers to supply arbitrary user meta keys during the registration process. To spare our readers the heavy technical details, this created a critical vulnerability making it possible for initially unauthenticated users to escalate their privileges to an administrator.
Admin access in the hands of cybercriminals can lead to many malicious activities, including taking the site offline or infecting it with malware. Not surprisingly, the CVSS score of this vulnerability, which has been dubbed “Unauthenticated Privilege Escalation via User Meta,” is 10.00, or critical.
The second plugin vulnerability in Ultimate Member also has the same CVSS rating of 10.00. Known as “Unauthenticated Privilege Escalation via User Roles,” the critical flaw is related to the previous one. “Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges,” Wordfence says.
The third vulnerability rated 9.9 in terms of severity, is called “Authenticated Privilege Escalation via Profile Update.” The flaw stems from a lack of capability checks on a profile update. The bug can be used by authenticated users to escalate their privileges with minimal difficulty.