The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
All of our clients behind our website firewall are already protected, and are not at risk.
The three vulnerabilities have the following DREAD score:
- Arbitrary file read and delete: 8.4
- Admin dashboard XSS: 7.4
- User Profile XSS: 6.8
Disclosure / Response Timeline:
- 2019/05/07: Initial disclosure
- 2019/05/08: Partial patch released (2.0.45)
- 2019/05/10: Complete patch released (2.0.46
File Leak and Delete
If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.