Ultimate Member is a free WordPress plugin for managing user registration and profiles with features to help create an online community. On October 23rd, the Threat Intelligence team at Wordfence disclosed multiple vulnerabilities with the plugin that made it possible to escalate privilege and take over a WordPress site. During user registration, a lack of filtering meant that an attacker could add extra fields to the form to submit information such as the new user’s role. With this, the attacker simply needed to create a new user and modify the request to include the administrator role to gain full privileges. The plugin’s developer worked with Wordfence, sending patched updates to test the remediation. By October 29th, all identified vulnerabilities had been patched and version 2.1.12 had been published.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in