Home » Ultimate Member

Ultimate Member <= 1.3.52 allows users to set arbitrary user meta data

It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.

I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.

Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field).  If a user is able to change this they can give themselves administrator privileges on a site.