It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.
I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.
Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field). If a user is able to change this they can give themselves administrator privileges on a site.
Timeline
- 5/24/2016 Initial disclosure email
- 5/26/2016 GitHub repository updated
- 6/1/2016 Ultimate Member version 1.3.53 released