The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
All of our clients behind our website firewall are already protected, and are not at risk.
The three vulnerabilities have the following DREAD score:
- Arbitrary file read and delete: 8.4
- Admin dashboard XSS: 7.4
- User Profile XSS: 6.8
Disclosure / Response Timeline:
- 2019/05/07: Initial disclosure
- 2019/05/08: Partial patch released (2.0.45)
- 2019/05/10: Complete patch released (2.0.46)
File Leak and Delete
If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.
Source: Scuri check