
WordPress Plugin Ultimate Members
If you are using the Ultimate Members plugin for WordPress, you really need to update it soon. Versions below 2.6.7 are vulnerable and could allow regular users to become website admins. This means that someone could change the data on your website without any restrictions.
In geekspeak:
A critical vulnerability in the plugin (CVE-2023-3460) allows an unauthenticated attacker to register as an administrator and take full control of the website. The problem occurs with the plugin registration form. In this form, it appears possible to change certain values to register the account. This includes the wp_capabilities value, which determines the user’s role on the website.
The plugin does not allow users to enter this value, but this filter is easy to bypass, allowing users to edit wp_capabilities and become an admin.
In English for the rest of us:
A vulnerability was discovered that would allow a visitor to your WordPress website who uses Ultimate Members to elevate their access to the administrator level. Users at the administrator level have superpowers, meaning they can change any content on the website. With this access, they would also be able to see any information in the membership database, such as the user’s contact information, and might have access to payment information as well.
The good news is that the developer of the plugin has already issued a fix or patch that can be applied and this will fix the vulnerability. Please note that often these types of emergency patches are followed by another fix to fix something that the first fix didn’t fix. This often happens when an emergency fix like this is required. They rush and miss something.