Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.

If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.

These type of inputs can be created by an administrator using the Form Builder from this plugin.

By modifying  certain data on the form, a malicious user can make the plugin pass along the content of the wp-config.php file instead of the original file or image.

Read more at Sucuri

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security