Critical privilege escalation bugs squashed in WordPress Ultimate Member plugin
WordPress has patched a critical privilege escalation vulnerability discovered in the popular plugin Ultimate Member. WordPress is urging its customers to implement the security update as soon as possible to avoid heightened risks of cyberattacks exploiting the flaw. The plugin has 100,000 active installations spanning thousands of different website types and is used to offer membership, sign-ups, and member profile functionality.
On Monday, the Wordfence security team published a report detailing three vulnerabilities found in the plugin that could potentially lead to privilege escalation attacks. This can be particularly harmful to website managers as threat actors can escalate their accounts to administrator levels and take over entire websites. The first bug has a CVSS score of 10, which is the highest possible. It was discovered in the user registration form process of the plugin and is the most serious of the three newly patched flaws.