On October 23, 2020, The Wordfence Threat Intelligence team disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.
Disclosure Timeline
- October 19-23, 2020 – Initial discovery of one vulnerability and further investigation of the plugin which leads to discovery of two more vulnerabilities.
- October 23, 2020 – We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We initiate contact with the plugin’s developer.
- October 26, 2020 – The plugin’s developer confirms the inbox for handling discussion. We send full disclosure.
- October 26, 2020 – The plugin’s developer confirms the vulnerability and provides us with a patched copy to verify the fixes. We inform them that some flaws still exist.
- October 29, 2020 – The plugin’s developer provides us with a second patched copy to verify the additional fixes. We verify that all has been patched.
- October 29, 2020 – The patch is released in version 2.1.12.
- November 22, 2020 – Free Wordfence users receive firewall rule.
You can read the full post here: