Ultimate Member Plugin

Update Alert — Ultimate Member Plugin

On October 23, 2020, The Wordfence Threat Intelligence team disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.

Ultimate Member Plugin

Disclosure Timeline

  • October 19-23, 2020 – Initial discovery of one vulnerability and further investigation of the plugin which leads to discovery of two more vulnerabilities.
  • October 23, 2020 – We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We initiate contact with the plugin’s developer.
  • October 26, 2020 – The plugin’s developer confirms the inbox for handling discussion. We send full disclosure.
  • October 26, 2020 – The plugin’s developer confirms the vulnerability and provides us with a patched copy to verify the fixes. We inform them that some flaws still exist.
  • October 29, 2020 – The plugin’s developer provides us with a second patched copy to verify the additional fixes. We verify that all has been patched.
  • October 29, 2020 – The patch is released in version 2.1.12.
  • November 22, 2020 – Free Wordfence users receive firewall rule.

You can read the full post here:

Subscribe to our Monthly Research Journal

Please enter your name and email address below to subscribe