The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.
These type of inputs can be created by an administrator using the Form Builder from this plugin.
By modifying certain data on the form, a malicious user can make the plugin pass along the content of the wp-config.php file instead of the original file or image.