Wordfence has disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. Making it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.
“We initially reached out to the plugin’s developer on October 23, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020. The developer provided us with a copy of the first intended patch on October 26, 2020 for us to test. We confirmed the patch fixed one of the vulnerabilities, however, two still remained. On October 29, 2020, the plugin’s developer provided us with an updated copy which fully addressed all vulnerabilities. The plugin’s developer released a patched version of Ultimate Member, 2.1.12, on October 29, 2020.
These are critical and severe vulnerabilities that are easy to exploit. Therefore, we highly recommend updating to the patched version, 2.1.12, immediately.”
More info: https://www.wordfence.com