Recently, we were contacted by a security expert and researcher, James Golovich, regarding a significant security issue that allowed unauthenticated users to reset users password which could allow an external attacker to take over an Administrator account.

We didn’t want to go public with the vulnerability until our users had had time to update to a version 1.3.76. We’d like to say a big thank you to James for the responsible disclosure; he gave us time to fix the issue and for our users to update to 1.3.76 before announcing the vulnerability via his website. You can read James’ post about the vulnerability here.

Github commits to fix the security issue:

If you have not done so already, we would urge you to update to version the latest version of Ultimate member.

Calum Allison

Founder of Ultimate Member - a free online community & user profile plugin for WordPress.

This Post Has One Comment

Leave a Reply