Ultimate Member versions less than 1.3.76 contain a critical security issue that allows unauthenticated users to reset any users password to an arbitrary value. This could allow an external attacker to take over an Administrator account and completely compromise the WordPress website. The WordPress.org repository claims there are 40,000+ active installs of this plugin, though there is no way of knowing how many are running vulnerable versions.
If you are running an older version, upgrade immediately. This flaw exists as far back as 1.0.0, which was the initial release of the plugin. The change log for the plugin doesn’t mention the specific flaw and at this time I have not seen an announcement from the Ultimate Member developer. On December 8th, the developer published a blog post and a twitter post regarding the issue.
Details
Due to the severity of this vulnerability, I will not provide specific details of the vulnerability at this time.
Timeline
- 11/22/2016 12:00pm Sent vulnerability information to vendor
- 11/23/2016 3:40am Vendor replied saying issue was resolved with github commit b66c99b
- 11/23/2016 8:45am Sent followup to vendor explaining additional vulnerability
- 11/28/2016 4:52am Received vendor response saying additional fix was added with github commit c54e8d3
- 11/28/2016 Ultimate Member version 1.3.76 released