I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.
Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field). If a user is able to change this they can give themselves administrator privileges on a site.
- 5/24/2016 Initial disclosure email
- 5/26/2016 GitHub repository updated
- 6/1/2016 Ultimate Member version 1.3.53 released